ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium
semgrep
Author
unknown
Download Count*
License
Calling permit
on security-critical properties like $ATTRIBUTE
may leave your application vulnerable to mass assignment.
Run Locally
Run in CI
Defintion
rules:
- id: check-permit-attributes-medium
patterns:
- pattern: $P.permit($ATTRIBUTE)
- metavariable-regex:
metavariable: $ATTRIBUTE
regex: .*(role|banned).*
message: Calling `permit` on security-critical properties like `$ATTRIBUTE` may
leave your application vulnerable to mass assignment.
languages:
- ruby
severity: WARNING
metadata:
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb
category: security
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
owasp:
- A08:2021 - Software and Data Integrity Failures
technology:
- ruby
- rails
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mass Assignment
Examples
check-permit-attributes-medium.rb
params = ActionController::Parameters.new({
person: {
name: "Francesco",
age: 22,
role_id: "admin"
}
})
# ruleid: check-permit-attributes-medium
params.permit(:role_id)
#ok: check-permit-attributes-medium
params.permit(:some_safe_property)
Short Link: https://sg.run/PPLE