When I was studying rails, I didn't really understand what the word "mass assignment vulnerability" was, so I looked it up and summarized it in my own words.
Multiple columns can be specified at once when updating the Rails DB.
It's very convenient to be able to update multiple columns at the same time.
While convenient, there are some dangerous parts to mass assignment. That is, unauthorized requests can tamper with administrator privileges.
This is because you can edit the content posted on the form using Chrome's developer tools.
For example, suppose your User model has an admin attribute that indicates whether you are a website administrator.
If you add the admin attribute using Edit as HTML of the developer tool, enter the value and send it, the DB will be updated as it is.
In this case, even if you are not an administrator, you can sneak into the website and make mischief, which is a very dangerous situation.
* From Rails4, it is not possible to save or update to DB unless it is set to strong parameter.
There is a strong parameter to prevent mass assignment vulnerabilities. By using the
strong parameter, you can prevent unauthorized requests using developer tools.
params.require(:user).permit(:name, :email, :password, :password_confirmation)
Get the value of the key set in the argument with therequire method, and filter only the parameters you want to allow with the permit method.
Recommended Posts