In RoR, it is possible to do something called mass assignments. For instance, when submitting a form, all the parameters are put into a params hash so you can do the following:
Product.create(params[:product])
product.update_attributes(params[:product])
Very simple, but by default, there is a security flaw. That flaw is covered in this post. If you are concerned about this, the easiest way would be to make it so that all your models will require attr_accessible on any attributes that you want mass assignment for. This then protects any attributes not listed by default.
In your config files, preferably in your initializers folder, add the following to protect all attributes:
ActiveRecord::Base.send(:attr_accessible, nil)
Then go through each model and think about which attributes should be exposed to mass assignments. For those that are not accessible, you must do the following to assign values:
product.store_id = store.id
This makes the assignment explicit and cannot be manipulated by the users.
Now that you know, go secure your applications!
W
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment