ruby.lang.security.create-with.create-with
Community Favorite
semgrepAuthor
46,077
Download Count*
License
Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.
Run Locally
Run in CI
Defintion
rules:
- id: create-with
patterns:
- pattern-not: |
$FUNC.create_with($PARAMSB.permit(...))
- pattern: |
$FUNC.create_with($PARAMSA)
message: Checks for strong parameter bypass through usage of create_with.
Create_with bypasses strong parameter protection, which could allow
attackers to set arbitrary attributes on models. To fix this
vulnerability, either remove all create_with calls or use the permit
function to specify tags that are allowed to be set.
metadata:
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
references:
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb
- https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ
category: security
technology:
- ruby
owasp:
- A08:2021 - Software and Data Integrity Failures
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mass Assignment
languages:
- ruby
severity: ERROR
Examples
create-with.rb
def bad_create_with
# ruleid: create-with
user.blog_posts.create_with(params[:blog_post]).create
end
def create
# ok: create-with
user.blog_posts.create(params[:blog_post])
# ok: create-with
user.blog_posts.create_with(params[:blog_post].permit(:title, :body, :etc)).create
end
Short Link: https://sg.run/0nLk