ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
98,234
Download Count*

Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect.

Run Locally

Run in CI

Defintion

rules:
  - id: mass-assignment-protection-disabled
    pattern: $MODEL.new(params[...], ..., :without_protection => true, ...)
    message: Mass assignment protection disabled for '$MODEL'. This could permit
      assignment to sensitive model fields without intention. Instead, use
      'attr_accessible' for the model or disable mass assigment using
      'config.active_record.whitelist_attributes = true'. ':without_protection
      => true' must be removed for this to take effect.
    metadata:
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/mass_assignment/index.markdown
      category: security
      technology:
        - ruby
      references:
        - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - ruby

Examples

mass-assignment-protection-disabled.rb

# ruleid:mass-assignment-protection-disabled
User.new(params[:user], :without_protection => true)

# ok:mass-assignment-protection-disabled
User.new(params[:user])