ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln

rules:
  - id: mass-assignment-vuln
    patterns:
      - pattern-either:
          - pattern: |
              $MOD.new(params[$CODE])
          - pattern: |
              $MOD.new(..., params[$CODE], :without_protection => true, ...)
      - pattern-not-inside: |
          attr_accessible $VAR
          ...
          $MOD.new(params[$CODE])
    message: "Checks for calls to without_protection during mass assignment (which
      allows record creation from hash values). This can lead to users bypassing
      permissions protections. For Rails 4 and higher, mass protection is on by
      default. Fix: Don't use :without_protection => true. Instead, configure
      attr_accessible to control attribute access."
    metadata:
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      references:
        - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb
        - https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/
      category: security
      technology:
        - ruby
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mass Assignment
    languages:
      - ruby
    severity: WARNING