ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Calling permit on security-critical properties like $ATTRIBUTE may leave your application vulnerable to mass assignment.

Run Locally

Run in CI

Defintion

rules:
  - id: check-permit-attributes-medium
    patterns:
      - pattern: $P.permit($ATTRIBUTE)
      - metavariable-regex:
          metavariable: $ATTRIBUTE
          regex: .*(role|banned).*
    message: Calling `permit` on security-critical properties like `$ATTRIBUTE` may
      leave your application vulnerable to mass assignment.
    languages:
      - ruby
    severity: WARNING
    metadata:
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_permit_attributes.rb
      category: security
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      technology:
        - ruby
        - rails
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mass Assignment

Examples

check-permit-attributes-medium.rb

  params = ActionController::Parameters.new({
  person: {
    name: "Francesco",
    age:  22,
    role_id: "admin"
  }
})

# ruleid: check-permit-attributes-medium
params.permit(:role_id)
#ok: check-permit-attributes-medium
params.permit(:some_safe_property)