Slicing Your Attributes

3 months ago

Update: Added a reference to Eric Chapweske's blog post about the problem. Thanks to James Healy for the link.

It's common, in Rails controllers, to create and update models straight from the params hash:

@project = Project.new(params[:project])

ActiveRecord models default to having all attributes assignable this way. As a result, unless you're very careful with attr_protected and attr_accessible, there's a good chance your app has security holes.

Eric Chapweske has found that several popular, open-source Rails app have holes related to this problem.

ActiveSupport's slice method to the rescue!

@project = Project.new(params[:project].slice(:name, :start_date))

What's it do? From the documentation:

Returns a new hash with only the given keys.

Comments

Reference for known rails apps with mass assignment security issues: http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment

James Healy
3 months ago

Leave a comment

(required)
(required, will not be published)