Strong Parameters in Rails 4

The story behind Strong Parameters in Rails 4

captured sparks

On the 4 March 2012, Egor Homakov took advantage of a mass assignment vulnerability to add his public key to the Rails repository, thereby giving himself commit access to Rails. It appears he carried out the exploit when the issue he raised in Github was closed as a “won’t fix”.

To understand the issue, you need to understand how Rails makes it easy to interact with the database. If you have a form to create a model, Rails will pass a hash of parameters on the form being submitted. If you check your logs when submitting a form, you will see something like this for say a User model:

In the controller, you can access this hash to create or update your user:

At the time, Rails had a permissive design in that unless defined otherwise, any attributes on our User model could be set through mass assignment. If you…

View original post 450 more words

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: