ruby.lang.security.model-attributes-attr-accessible.model-attributes-attr-accessible

profile photo of semgrepsemgrep
Author
161
Download Count*
LGPL Commons Clause
License

Checks for models that do not use attr_accessible. This means there is no limiting of which variables can be manipulated through mass assignment. For newer Rails applications, parameters should be allowlisted using strong parameters. For older Rails versions, they should be allowlisted using strong_attributes.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: model-attributes-attr-accessible
    patterns:
      - pattern-not: |
          class $CLASS < $TYPE
          ...
          attr_accessible :$XXX
          ...
          end
          ...
          $CLASS.$FUNC(...)
      - pattern: |
          class $CLASS < $TYPE
          ...
          end
          ...
          $CLASS.$FUNC(...)
      - metavariable-pattern:
          metavariable: $TYPE
          patterns:
            - pattern-not-regex: (?i)(Error|Exception)
      - focus-metavariable: $CLASS
    message: Checks for models that do not use attr_accessible. This means there is
      no limiting of which variables can be manipulated through mass assignment.
      For newer Rails applications, parameters should be allowlisted using
      strong parameters. For older Rails versions, they should be allowlisted
      using strong_attributes.
    metadata:
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb
      category: security
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      technology:
        - rails
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mass Assignment
    languages:
      - ruby
    severity: ERROR

Examples

model-attributes-attr-accessible.rb

class User < ActiveRecord::Base
acts_as_authentic do |t|
    t.login_field=:login # for available options see documentation in: Authlogic::ActsAsAuthentic
  end # block optional
    attr_accessible :login
  attr_accessible :first_name
    attr_accessible :middle_name
    attr_accessible :surname
    attr_accessible :permanent_address
    attr_accessible :correspondence_address
    attr_accessible :email
    attr_accessible :contact_no
    attr_accessible :gender
    attr_accessible :password
    attr_accessible :password_confirmation
    attr_accessible :avatar
    has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }
end

def create
    user = User.create(person_params)
end

# ruleid: model-attributes-attr-accessible
class User < ActiveRecord::Base
acts_as_authentic do |t|
    t.login_field=:login # for available options see documentation in: Authlogic::ActsAsAuthentic
  end # block optional
    has_attached_file :avatar, :styles => { :medium => "300x300>", :thumb => "100x100>" }
end

def create
    user = User.create(person_params)
end


class SomeErrorClass < RuntimeError

  def initialize()
  end

end

#ok: model-attributes-attr-accessible
SomeErrorClass.new()

#todook: model-attributes-attr-accessible
class TestObject < Struct.new(:name); end
TestObject.new("name")