[RUBY] What are mass assignment vulnerabilities?


When I was studying rails, I didn't really understand what the word "mass assignment vulnerability" was, so I looked it up and summarized it in my own words.

What is mass assignment?

Multiple columns can be specified at once when updating the Rails DB.
It's very convenient to be able to update multiple columns at the same time.


While convenient, there are some dangerous parts to mass assignment. That is, unauthorized requests can tamper with administrator privileges.

Why is the administrator authority etc. tampered with?

This is because you can edit the content posted on the form using Chrome's developer tools.
For example, suppose your User model has an admin attribute that indicates whether you are a website administrator.
If you add the admin attribute using Edit as HTML of the developer tool, enter the value and send it, the DB will be updated as it is.
In this case, even if you are not an administrator, you can sneak into the website and make mischief, which is a very dangerous situation.
* From Rails4, it is not possible to save or update to DB unless it is set to strong parameter.

What are strong parameters?

There is a strong parameter to prevent mass assignment vulnerabilities. By using the

strong parameter, you can prevent unauthorized requests using developer tools.

How to use strong parameters

params.require(:user).permit(:name, :email, :password, :password_confirmation)

Get the value of the key set in the argument with the

require method, and filter only the parameters you want to allow with the permit method.

Recommended Posts

What are mass assignment vulnerabilities?
[Rails] What are params?
[rails] What are Strong Parameters?
What are command line arguments?
[Environment variables] What are rails environment variables?
What are practically final variables?
What are Ruby class methods?
config.ru What are you doing?
What are Java metrics? _Memo_20200818
What are the rules in JUnit?
[Java] What are overrides and overloads?