What is the secure solution for correcting mass assignment vulnerabilities in Rails 3?

Question

I'm working on securing an existing Rails 3 project. Running brakeman, I'm receiving this warning for many model classes: "Potentially dangerous attribute available for mass assignment: :example_id"

All of the warnings are on _id columns.

The models currently look like this:

class Comment < ActiveRecord::Base
    attr_accessible :commentable_id, :content, :user_id

Along with the main question, if the _id columns are removed to satisfy the warnings, what is the proper way to set these fields then?

Answer 1

if you use it, per default ALL parameters are forbidden. If any controller should use some parameters, you need explicit to permit them.

Let's imagine you have Users and Entries. If a someone is going to update his entry and sends additionally an user_id parameter, he could re-assign the records user which is really bad. Since strong_parameters blacklists all parameters you allow the controller to accept only entry.name, entry.details and entry.tags (or whatever). Even is the entry.user_id is sent, it will be ignored!

You might wanta to take a further look : https://github.com/rails/strong_parameters

Answer 2

In rails it's always better to use Active Record association API.

In your case it's safer and cooler to:

@commentable = Commentable.take
@commentable.comments.build attribute: 'value', ...
# or
@commentable.comments.create attribute: 'value', ...

Rather than:

Comment.new commentable_id: @commentable.id, attribute: 'value', ...

Therefore if you'll stick with best practicies you won't need to whitelist commentable_id or any other _id.

You should also consider currently recommended mass-assignment protection solution — Strong Parameters:

— «How to Upgrade to Strong Parameters in Rails»