The story behind Strong Parameters in Rails 4
On the 4 March 2012, Egor Homakov took advantage of a mass assignment vulnerability to add his public key to the Rails repository, thereby giving himself commit access to Rails. It appears he carried out the exploit when the issue he raised in Github was closed as a “won’t fix”.
To understand the issue, you need to understand how Rails makes it easy to interact with the database. If you have a form to create a model, Rails will pass a hash of parameters on the form being submitted. If you check your logs when submitting a form, you will see something like this for say a User model:
In the controller, you can access this hash to create or update your user:
At the time, Rails had a permissive design in that unless defined otherwise, any attributes on our User model could be set through mass assignment. If you…
View original post 450 more words