« LoginGenerator and LoginSugar security vulnerabilities | Main | Apache 2 file privileges and modules »
Tuesday
Mar202007

Do not create records directly from form parameters

The scaffold generator creates code like the following, which is allowedly easier to handle, but vulnerable:

@user = User.new(params[:user])

With this code, Rails will create a new user based on the values that the user entered. Any corresponding attributes in the parameter hash params will be set in the user model. Arbitrary properties of the new user can be set by an attacker, the user's privileges, for example. Given you have a user registration form like this:

<form method="post" action="http://www.website.domain/user/register">
  <input type="text" name="user[name]" />
  ...
</form>

An attacker could change the form (by saving it to disk, for example) to the following:

<form method="post" action="http://www.website.domain/user/register">
  <input type="text" name="user[name]" />
  <input type="text" name="user[admin]" value="1" />
  ...
</form>

 
If the attacker knows that the User model has an “admin” column, the newly created user will have administrator rights. One solution to this problem is, not to use mass-assignment and assign each value individually.

User.new(:first_name => params[:user][:first_name])

Another solution is, to protect several properties so they can't be assigned using mass-assignment, but have to be set individually. The following line in your model will protect the “admin” attribute, i.e. it will be ignored during mass-assignment.

attr_protected :admin

If you want to set a protected attribute, you will to have to assign it individually:

@user = User.new(params[:user])
@user.admin = false
 

You can also use the whitelist approach (highly recommended), which allows attributes to be mass-assigned, instead of forbidding access to them. Use attr_accessible with the attributes you want to allow access to, instead of attr_protected to do this.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (169)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    order cialis online order cialis online http://www.seekyourtrip.com/travel-page/1386 cialis [url=http://www.seekyourtrip.com/travel-page/1386]cialis[/url] order cialis online [link=http://www.seekyourtrip.com/travel-page/1386]order cialis online[/link]
  • Response
    Response: cheap viagra
    cheap viagra cheap viagra http://www.youtube.com/user/DarienSamoloiv viagra [url=http://www.youtube.com/user/DarienSamoloiv]viagra[/url] order viagra [link=http://www.youtube.com/user/DarienSamoloiv]order viagra[/link]
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: My Web Site
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: womens Bags uk
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Jack
    You have a nice article written keep us updated of really good stuff from your blog.
  • Response
    Response: Suggested Site
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: test.sciencefa.com
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: myallblue.info
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: visit my homepage
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: settee bunk beds
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Cejvan.net
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: facebook targeting
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: comprar gopro
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: check it out here
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: curcumin reviews
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: pilates exercices
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Multishop Tycoon
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Venus Factor
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Social Lead Wizard
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Kredit Motor
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Reveal to Grandpa
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: israelnews
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Free stuff online
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Virtual Lag Video
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Sugaring Zürich
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Walter
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: seo book
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Jasa SEO
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: wipenew reviews
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: blog
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: great site
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: vitamins for women
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: helpful hints
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: sell and buy gold
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: geek dating
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: cuisine facile
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: more information
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: this page
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: more information
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: D袯uvrez plus
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: TV Host Las Vegas
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: carllni's
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Info
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: fast weight loss
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: food
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: puffy eyes
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: male weight loss
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: http://bit.ly/
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Ice Cream Lemoyne
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: underwater iPod
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Food & Wine
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: check it out here
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: bloog.pl
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: digitalocean vps
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: namecheap domain
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: webcam model
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Multivitamins
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Acne Skin Care
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: origin skin care
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Glycemate Reviews
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: cambogia garcinia
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: Brian Culwell
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Response: mens skin care
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters
  • Response
    Ruby on Rails Security Project - Journal - Do not create records directly from form parameters

Reader Comments (147)

people should be testing their controllers for this stuff, but likely aren't.

If you don't want to use the broad kudgel that is attr_protected, you can also use hash filters like I devised here: http://blog.caboo.se/articles/2006/6/11/stupid-hash-tricks

March 21, 2007 | Unregistered Commentermatt lyon

My vote is for the whitelisting approach of . The safer approach for form validation (and other tasks like configuring a firewall) is to deny everything first, with specific exceptions for input you expect.

March 21, 2007 | Unregistered CommenterDan Kubb

Assigning things individually is only marginally more secure, given the fact that your example contains no server side validation of data or authorization. Almost invariably, your application would have some sort of administrative interface to choose set admins, and that action could be divined in the same way that the admin attribute could be. Granted, guessing that you post to /users/make_admin/1 to make an administrator is more obscure than guessing the user[admin] field, but we know better than security through obscurity.

The bottom line is that you should check your incoming data. even something as naive as the following is much more secure:

My first paragraph seems a bit combative; I don't mean it to be, but can't find a sufficient alternative to the warning. I'm firmly in the camp that the less code I have to write the better, and if I can funnel all of my changes to a given model through one vanilla action, so much the better. That means there is only one place to secure properly, one place to update as things change, and one place to test. If you package your authorization code into some declarative-style extensions to your controllers, the code can be quite simple, flexible, and composable.

My ideal psuedo-code would be something like:

-Scott Fleckenstein

March 21, 2007 | Unregistered CommenterScott Fleckenstein

Well that didn't work out so well, lets try it with pres:

First broken code block

before_filter :only => [:update, :create] do |c|
raise "access_denied" if c.params[:user].has_key?("admin") && !logged_in_user.admin?
end

second broken code block:

class UserController :unauthorized_access # see the rails plugin exceptional (http://nullstyle.com/home/exceptional)

def update
User.update(params[:id], params[:user])
end
end

March 21, 2007 | Unregistered CommenterScott Fleckenstein

Thank you for this entry. May I suggest the use of @params is deprecated since a while now. ( use params instead).

March 21, 2007 | Unregistered CommenterAlexandre

It's amazing how many potential security holes exist in every web application. Of course I've fixed this one in my application now - thanks to you!
Keep up the good work - can't wait for your next posting ;-)

March 21, 2007 | Unregistered CommenterSteffen

[...] for your comments. Scott writes in a comment: Assigning things individually is only marginally more secure, given the fact that your example [...]

I stumbled upon the mass assignment issue too while working on a community site in Rails for a project at my university. I used the SaltedHashLoginGenerator and found it lacking a lot of the issues discussed here. BTW, it's a great site, I wish I had found it earlier !
My simple solution was to make a whitelist as an Array and just delete everything not in there from the params hash...
I found this Firefox Add-on very useful for testing attacks:
https://addons.mozilla.org/en-US/firefox/addon/966

April 4, 2007 | Unregistered CommenterMartin Tepper

Ryan at Railscasts.com has a video dealing with mass assignment.

Check it out:

May 5, 2007 | Unregistered CommenterCurtis Miller

Adderall....

May 15, 2007 | Unregistered CommenterAdderall.

Purchashing xanax with mastercard. Cheap generic xanax 2mg bars. Xanax....

Herbal phentermine natural weight .... Herbal phentermine. Does herbal phentermine work frontier pharmacies....

May 23, 2007 | Unregistered CommenterHerbal phentermine.

Cheap phentermine online....

May 23, 2007 | Unregistered CommenterOnline phentermine.

Buy valium online without prescription. Buy valium with mastercard. Buy valium. Buy valium online save wholesale price yep. Buy valium online....

May 23, 2007 | Unregistered CommenterBuy valium.

Lowes t online phentermine price. Online phentermine. Wrapper phentermine online. Order phentermine phentermine online....

Phentermine 37 5mg. Buy phentermine online 37.5mg no prescription....

May 24, 2007 | Unregistered CommenterPhentermine 37 5mg.

Phentermine diet pills....

Buy phentermine online with paypal. Online phentermine and no prescription. Online phentermine without contacting doctor. Online phentermine....

Tramadol hcl. The lowest tramadol hcl price guaranteed fast....

May 25, 2007 | Unregistered CommenterTramadol hcl.

Online no prescription valium. Valium without prescription. No prescription needed for valium. No prescription generic valium. Valium no prescription master. No prescription valium. Valium prescription online....

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>