I am working on a REST API and I’ve noticed mass assignment can really
be a huge security hole if you don’t take proactive measure. For
class User < ActiveRecord::Base
class Category < ActiveRecord::Base
If you call @category.update_attributes in your controller, you leave
the door open for someone to pass in :user_id or :user parameters and
change the ownership of the category.
Of course Rails has the conventions to prevent this from happening with:
attr_protected :user_id, :user
But you don’t see much written about protecting attributes. Some models
will allow you to use validations to avoid security holes, but I’m
finding most of my belongs_to’s need to be protected.
In order to clean up my code and avoid stupid security holes, I’ve
thrown together a plugin to explore this problem. You can check it out
at http://code.google.com/p/secure-associations/ So far I’ve only added
a belongs_to_protected method which will call the regular belongs_to and
protect the related attributes.
If there’s another way people are addressing this problem, let me know.
Otherwise if anyone else wants to use this plugin, I’ll add support for
the rest of the ActiveRecord associations. I’m also thinking of making
an _immutable version which will allow you to only set an attribute
once. Is there another convention in Rails for doing this?
Here’s my initial blog post on the topic: