ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled
Verifed by r2c
Community Favorite
semgrepAuthor
98,234
Download Count*
License
Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect.
Run Locally
Run in CI
Defintion
rules:
- id: mass-assignment-protection-disabled
pattern: $MODEL.new(params[...], ..., :without_protection => true, ...)
message: Mass assignment protection disabled for '$MODEL'. This could permit
assignment to sensitive model fields without intention. Instead, use
'attr_accessible' for the model or disable mass assigment using
'config.active_record.whitelist_attributes = true'. ':without_protection
=> true' must be removed for this to take effect.
metadata:
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
owasp:
- A08:2021 - Software and Data Integrity Failures
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/mass_assignment/index.markdown
category: security
technology:
- ruby
references:
- https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mass Assignment
severity: WARNING
languages:
- ruby
Examples
mass-assignment-protection-disabled.rb
# ruleid:mass-assignment-protection-disabled
User.new(params[:user], :without_protection => true)
# ok:mass-assignment-protection-disabled
User.new(params[:user])
Short Link: https://sg.run/2byz