Search code examples
ruby-on-railsbrakeman

False Warning for mass assignment is thrown by Brakeman Gem in model.new and model.update_attibutes and model.create

Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash. There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs. Example:-

User.new(params[:user])

Although I am not using a hash directly to map with the fields available in the table. Instead I am doing something like:

User.new(:first_name => params[:first_name], :last_name => params[:last_name ], :address => params[:address])

or

user.update_attributes(:first_name => params[:first_name], :last_name => params[:last_name ], :address => params[:address])

Why is this leading to a Mass Assignment Vulnerability? As I am not blindly assigning a hash, I am selectively updating only few of the attributes of the table.

One fix for this is by doing the following:

user = User.new
user.first_name = params[:first_name]
user.last_name = params[:last_name ],
user.address = params[:address]
user.save

But this is like writing unnecessary code, so that the Brakeman is not alerting this as an issue. This is actually doing the same thing in 4 lines instead of a single line.

Can somebody please make me understand what is the actual issue here or confirm that this is a false alert and also is there any way that we can prevent this false alert to appear?

I am using ruby 1.8.7, Rails 2.3.2, Brakeman 3.0.5

Solution

  • It is possible to have mass assignment issues with values due to accepts_nested_attributes_for. However, if you are not using accepts_nested_attributes_for then this is probably a false positive.

    Notice Brakeman returns a "weak" confidence warning for this code. Like most of Brakeman's "weak" confidence warnings, it is code you should take a look at but probably isn't an issue.

    You can use Brakeman's ignore configuration to ignore false positives. You can also ignore weak confidence warnings by running Brakeman with -w 2. It's also possible to turn off mass assignment warnings with -x MassAssignment but I would not recommend that since you are running an ancient (and probably very vulnerable) version of Rails.