Rails 3: Mass assignment protection and .create_with

Posted . Visible to the public.

The issue

Yesterday, Rails fixed a security issue (CVE-2014-3514) Show archive.org snapshot in Rails 4+. It was possible to use .where or .create_with to bypass Rails' Strong Parameters Show archive.org snapshot :

user.blog_posts.create_with(params[:blog_post]).create

would set all attributes on the blog post. After the fix, you have to properly whitelist the params, via params[:blog_post].permit(:title, :body).

If you did not even know .create_with existed, have a look at the API Show archive.org snapshot .

How this applies to Rails 3

In Rails 3, Strong Parameters did not exist, yet. Instead, you used mass assignment protection via attr_accessible / attr_protected.

But for .create_with, and .where, mass assignment protection has no effect. The code as above can set protected attributes.

Unfortunately, there is no good fix for this, since you do not always want mass assignment protection to apply. Consider this:

BlogPost.create_with(:user_id => current_user.id).create(params[:blog_post])

Here you clearly want the user_id to be set, even if it is protected. It would be more dangerous not to set it.

Rails 4 can be more clever, due to how Strong Parameters Show archive.org snapshot work, as it can easily distinguish between user input and internal code. Rails 3 cannot, and so won't protect you from this.

Tobias Kraze
Last edit
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to makandra dev (2014-08-19 09:52)