Menu
I'm working on a legacy rails application and the controllers have many instances of params.permit!. When running a Brakeman scan on it, params.permit! opens up the application to mass assignment vulnerabilities.
My question is- what is the most effective way to get around this params.permit! vulnerability and replace it?
473
The permit method returns a copy of the parameters object, returning only the permitted keys and values.
As you might have guessed, params is an alias for the parameters method. params comes from ActionController::Base, which is accessed by your application via ApplicationController. Specifically, params refers to the parameters being passed to the controller via a GET or POST request.
Strong Parameters, aka Strong Params, are used in many Rails applications to increase the security of data sent through forms. Strong Params allow developers to specify in the controller which parameters are accepted and used.
Sometimes, you are looking to permit all the parameters of your Rails model in controller strong parameters. Instead of specifying them explicitly, one by one, you can permit all of the model attributes. However, this is not a good practice for a production application.
Rails introduced the “strong parameters” system, back in Rails 4 as a security feature. It forces you to whitelist the attributes that can be saved. This prevents an issue known as “mass assignment”, which allows malicious users to set admin = true, or set other fields that normally they wouldn’t have access to.
The permit method is a list of allowed (but optional) attributes. As a result, you get back a new params hash with these attributes, but now they’re clear to be saved to the database. Notice that a regular Ruby hash will bypass this security system.
Let’s create a simple Rails app and review how params changes with and without ParamsWrapper. Create a new Rails app on the command line. Add a controller called /controllers/meetups_controller.rb, and paste in the following. Edit /config/routes.rb. And make a request from the command line. The Rails server logs will now display below.
params.permit! whitelists all attributes leading to the vulnerabilities of mass assignment. The best way to get around this is by whitelisting only the necessary attributes like so
params.permit(:attr1,:attr2..)
Even better, use require with permit
Allows you to choose which attributes should be whitelisted for mass updating and thus prevent accidentally exposing that which shouldn't be exposed. Provides two methods for this purpose: require and permit. The former is used to mark parameters as required. The latter is used to set the parameter as permitted and limit which attributes should be allowed for mass updating.
params.require(:key).permit(:attr1, :attr2..)
I assume that someone added the params.permit! after a rails upgrade to avoid looking into "strong parameters" and setting it up correctly.
The correct way to fix this is by going through every controller and reviewing what params you need and want to permit for every action, and then using params.permit (without the exclamation mark) to set up the whitelist for permitted paramters:
https://apidock.com/rails/ActionController/Parameters/permit
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
