The issue

Yesterday, Rails fixed a security issue (CVE-2014-3514) Show archive.org snapshot in Rails 4+. It was possible to use .where or .create_with to bypass Rails' Strong Parameters Show archive.org snapshot :

user.blog_posts.create_with(params[:blog_post]).create

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

• We build reliable cloud solutions with Infrastructure as code
• We are experts in security, Linux and databases
• We support your dev team to perform

Read more Show archive.org snapshot

would set all attributes on the blog post. After the fix, you have to properly whitelist the params, via params[:blog_post].permit(:title, :body).

If you did not even know .create_with existed, have a look at the API Show archive.org snapshot .

How this applies to Rails 3

In Rails 3, Strong Parameters did not exist, yet. Instead, you used mass assignment protection via attr_accessible / attr_protected.

But for .create_with, and .where, mass assignment protection has no effect. The code as above can set protected attributes.

Unfortunately, there is no good fix for this, since you do not always want mass assignment protection to apply. Consider this:

BlogPost.create_with(:user_id => current_user.id).create(params[:blog_post])

Here you clearly want the user_id to be set, even if it is protected. It would be more dangerous not to set it.

Rails 4 can be more clever, due to how Strong Parameters Show archive.org snapshot work, as it can easily distinguish between user input and internal code. Rails 3 cannot, and so won't protect you from this.