ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln
Community Favorite
semgrep
Author
47,180
Download Count*
License
Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.
Run Locally
Run in CI
Defintion
rules:
- id: mass-assignment-vuln
patterns:
- pattern-either:
- pattern: |
$MOD.new(params[$CODE])
- pattern: |
$MOD.new(..., params[$CODE], :without_protection => true, ...)
- pattern-not-inside: |
attr_accessible $VAR
...
$MOD.new(params[$CODE])
message: "Checks for calls to without_protection during mass assignment (which
allows record creation from hash values). This can lead to users bypassing
permissions protections. For Rails 4 and higher, mass protection is on by
default. Fix: Don't use :without_protection => true. Instead, configure
attr_accessible to control attribute access."
metadata:
owasp:
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
references:
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb
- https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/
category: security
technology:
- ruby
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mass Assignment
languages:
- ruby
severity: WARNING
Examples
unprotected-mass-assign.rb
def mass_assign_unsafe
#ruleid: mass-assignment-vuln
User.new(params[:user])
#ruleid: mass-assignment-vuln
user = User.new(params[:user])
#ruleid: mass-assignment-vuln
User.new(params[:user], :without_protection => true)
end
def safe_send
#ok: mass-assignment-vuln
attr_accessible :name
User.new(params[:user])
#ok: mass-assignment-vuln
attr_accessible :name
user = User.new(params[:user])
end
Short Link: https://sg.run/xY8e