I'm working on a legacy rails application and the controllers have many instances of params.permit!. When running a Brakeman scan on it, params.permit! opens up the application to mass assignment vulnerabilities.
My question is- what is the most effective way to get around this params.permit! vulnerability and replace it?
params.permit! whitelists all attributes leading to the vulnerabilities of mass assignment. The best way to get around this is by whitelisting only the necessary attributes like so
params.permit(:attr1,:attr2..)
Even better, use require with permit
Allows you to choose which attributes should be whitelisted for mass updating and thus prevent accidentally exposing that which shouldn't be exposed. Provides two methods for this purpose: require and permit. The former is used to mark parameters as required. The latter is used to set the parameter as permitted and limit which attributes should be allowed for mass updating.
params.require(:key).permit(:attr1, :attr2..)