My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Summary | Updates
Code license: MIT License
Labels: ruby, rails, plugin, security, massassignment, rake, exploit
Links:
Blogs:
Feeds:
People details
Project owners:
  ryanlowe

This SVN repository is no longer active! The project has been MOVED to GitHub:

http://github.com/ryanlowe/audit_mass_assignment

===

The audit_mass_assignment Ruby on Rails plugin contains a rake task that checks the models in your project for the attr_accessible whitelist approach for protecting against "mass assignment" exploits. It does not check for use of attr_protected!

If a Rails model does not use attr_accessible, it fails this audit. The audit does not check which parameters are accessible or protected, only that at least one is marked as accessible.

You can run the audit periodically to make sure all of your project's models use attr_accessible. Other audit plugins for Rails could be created to automatically check for bad patterns or insecure code. This one was relatively easy. 

./script/plugin install http://audit-mass-assignment.googlecode.com/svn/trunk/audit_mass_assignment/
$ rake audit:mass_assignment

If you want to protect ALL attributes use: 

attr_accessible nil

Why are "mass assignment" exploits a danger to Rails applications? See these links:

1. rorsecurity.info: Do not create records directly from form parameters

2. Railscasts: Hackers Love Mass Assignment

3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters









Hosted by Google Code