Rails security issue

benjohnson · May 28, 2008, 7:22am

I know this is not a REAL security issue, but I think it could be and
this seems very “unrails” like. What’s to keep a user from modifying the
post hash they send to the server to set ANY attributes they want for an
AR object? attr_protected? So I have to write an attr_protected line in
my model for EVERY relationship I set up? This seems bad:

It’s redundant and not what I would expect in rails.
If I forget to attr_protect a foreign key attribute I all of a sudden
have a possible security issue.

Let’s pretend a User belongs to a user group, has and belongs to many
roles, and has many orders. So I need to do the following to make my
model secure?

attr_protected :user_group_id, :role_ids, :order_ids

Am I missing something or am I the only person that thinks something is
wrong with this?

benjohnson · May 28, 2008, 7:36am

attr_accessible is what I think you want
I found out about it at #26 Hackers Love Mass Assignment - RailsCasts

benjohnson · May 28, 2008, 4:49pm

Hey Ben,
and remember that if you use the ‘attr_accessible’ macro, that all
attributes not defined will be protected.

Adam

SweetSpot.dm – Diabetes Wellness for the Family
http://www.SweetSpot.dm
http://blog.SweetSpot.dm

benjohnson · May 29, 2008, 10:59am

On May 27, 2008, at 10:36 PM, clouder wrote:

attr_accessible is what I think you want
I found out about it at #26 Hackers Love Mass Assignment - RailsCasts

attr_accessible is only a partial solution for a narrow field of
cases. Allowed fields in a POST or GET need to be defined on a case
by case, for by form basis – not on a model-wide basis.

Allowing field x to be submitted in form A may be ok, but allowing it
to be submitted in form B may not.

In my own frameworks I have always had a server-side definition in
the processing of every specific form of which fields were allowed.
That was one of the very first things I found myself writing a little
method for in Rails. I have a library of misc Security Utility
methods. This is one of them:

def SecurityUtilities.distill_params(allowed_inputs, input_params)
input_params.delete_if do |input_name, input_value|
!(allowed_inputs.include?(input_name.to_sym))
end
end

Prior to any form process, I first weed out the garbage from params
by defining the allowed_inputs:

allowed_inputs = [
:userType, :pswd1, :pswd2,
:userFirstName, :userLastName,
:userEmail, :userHint, :userHosts]

which gets passed along with the params to filter unwnted k-v pairs
from params.

–
def gw
writes_at ‘www.railsdev.ws’
end