Use attr_accessible in ActiveRecord models to protect against mass assignment exploits
published
by ryanlowe
Why are "mass assignment" exploits a danger to Rails applications?
1. rorsecurity.info: Do not create records directly from form parameters http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/
2. Railscasts: Hackers Love Mass Assignment
http://railscasts.com/episodes/26
3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters
http://manuals.rubyonrails.com/read/chapter/47
--
ActiveRecord models should use attr_accessible to protect themselves against mass assignment exploits.
I've created a plugin to audit your Rails projects to detect any models which do not use attr_accessible:
http://github.com/ryanlowe/audit_mass_assignment
1. rorsecurity.info: Do not create records directly from form parameters http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/
2. Railscasts: Hackers Love Mass Assignment
http://railscasts.com/episodes/26
3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters
http://manuals.rubyonrails.com/read/chapter/47
--
ActiveRecord models should use attr_accessible to protect themselves against mass assignment exploits.
I've created a plugin to audit your Rails projects to detect any models which do not use attr_accessible:
http://github.com/ryanlowe/audit_mass_assignment