The issue
Yesterday, Rails
fixed a security issue (CVE-2014-3514)
Show archive.org snapshot
in Rails 4+. It was possible to use .where
or .create_with
to bypass Rails'
Strong Parameters
Show archive.org snapshot
:
user.blog_posts.create_with(params[:blog_post]).create
would set all attributes on the blog post. After the fix, you have to properly whitelist the params, via params[:blog_post].permit(:title, :body)
.
If you did not even know .create_with
existed,
have a look at the API
Show archive.org snapshot
.
How this applies to Rails 3
In Rails 3, Strong Parameters did not exist, yet. Instead, you used mass assignment protection via attr_accessible
/ attr_protected
.
But for .create_with
, and .where
, mass assignment protection has no effect. The code as above can set protected attributes.
Unfortunately, there is no good fix for this, since you do not always want mass assignment protection to apply. Consider this:
BlogPost.create_with(:user_id => current_user.id).create(params[:blog_post])
Here you clearly want the user_id
to be set, even if it is protected. It would be more dangerous not to set it.
Rails 4 can be more clever, due to how Strong Parameters Show archive.org snapshot work, as it can easily distinguish between user input and internal code. Rails 3 cannot, and so won't protect you from this.