ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible
semgrep
Author
161
Download Count*
License
Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.
Run Locally
Run in CI
Defintion
rules:
- id: model-attributes-attr-accessible
patterns:
- pattern-not: |
class $CLASS < $TYPE
...
attr_accessible :$XXX
...
end
...
$CLASS.$FUNC(...)
- pattern: |
class $CLASS < $TYPE
...
end
...
$CLASS.$FUNC(...)
- metavariable-pattern:
metavariable: $TYPE
patterns:
- pattern-not-regex: (?i)(Error|Exception)
- focus-metavariable: $CLASS
message: Checks for models that do not use attr_accessible. This means there is
no limiting of which variables can be manipulated through mass assignment.
For newer Rails applications, parameters should be allowlisted using
strong parameters. For older Rails versions, they should be allowlisted
using strong_attributes.
metadata:
references:
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb
category: security
owasp:
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
technology:
- rails
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mass Assignment
languages:
- ruby
severity: ERROR
Examples
model-attributes-attr-accessible.rb
class User < ActiveRecord::Base
acts_as_authentic do |t|
t.login_field=:login # for available options see documentation in: Authlogic::ActsAsAuthentic
end # block optional
attr_accessible :login
attr_accessible :first_name
attr_accessible :middle_name
attr_accessible :surname
attr_accessible :permanent_address
attr_accessible :correspondence_address
attr_accessible :email
attr_accessible :contact_no
attr_accessible :gender
attr_accessible :password
attr_accessible :password_confirmation
attr_accessible :avatar
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }
end
def create
user = User.create(person_params)
end
# ruleid: model-attributes-attr-accessible
class User < ActiveRecord::Base
acts_as_authentic do |t|
t.login_field=:login # for available options see documentation in: Authlogic::ActsAsAuthentic
end # block optional
has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }
end
def create
user = User.create(person_params)
end
class SomeErrorClass < RuntimeError
def initialize()
end
end
#ok: model-attributes-attr-accessible
SomeErrorClass.new()
#todook: model-attributes-attr-accessible
class TestObject < Struct.new(:name); end
TestObject.new("name")
Short Link: https://sg.run/1nrb