Geek Answers Handbook

Which fields should be protected against mass assignment?

I am doing a security audit in Rails 2.3.8, and one of the things that came up is the lack of attr_protected or attr_accessible in my model definitions. I understand the arguments behind them and even wrote a gem to help with mass assignment, but I'm looking for attributes that I could potentially be missing.

The problem I have is determining which fields should be protected. Are there any rules that people usually follow for this? I think attributes like foreign keys and logical elements like admin? it makes sense to protect. I am also interested in fields of type STI type and polymorphic * _type / * _ id. I see that Rails 3 introduced attributes that are protected by default , but Rails 2.3.8 does not seem to have this.

Any advice on this would be greatly appreciated.

0
source share
2 answers

My general rule is that any attribute that you do not want to change for users must be protected.

Therefore, in my models, I use attr_accessible for all attributes that are present as fields in forms. All others are protected. (I would prefer that everything be protected by default.)

In other words: it is assumed that all data sent by customers will be maliciously altered.

Edit: corresponding blog post http://www.kalzumeus.com/2010/09/22/security-lessons-learned-from-the-diaspora-launch/

+5
source

I assume that every “potentially dangerous” attribute should be protected, for example, an admin flag for the user.

In my opinion, ideally, each model should have attr_accessible for all attributes that can be updated. This is a safer solution.

0
source

More articles: