All geek questions in one place

How does this stop mass assignment?

I wanted to start using attr_accessible with my models to stop the mass assignment problem. I understand how this works, and I researched as much as I could.

What I don't understand is the difference between using update_attributes (params [: my_form]) or create (params [: my_form]) and setting up the fields one by one? Are you so vulnerable?

What is the difference between NOT with attr_accessible and doing this ...

@model_object = ModelObject.new @model_object.create(params[:model_object_params])

And getting attr_accessible and doing it ...

 @model_object = ModelObject.new @model_object.field1 = params[:model_object_params][:field1] @model_object.field2 = params[:model_object_params][:field2] @model_object.field3 = params[:model_object_params][:field3] @model_object.save!

Aren't both of these recording methods just as vulnerable? A hacker / cracker can send a URL to both of these methods and both will do the same, right?

Or uses attr_accessible and updates the fields one by one, does something different, or somehow becomes more secure?

Where all these methods that I find use attr_accessible make no sense to me. It seems that he does the same in two different ways. What am I missing?

Thanks.

+6
source share
4 answers

How you do this does not interfere with "mass assignment."

Bulk assignment is a term used when Rails processes attribute assignments in a model. This is usually done in the controller using the names and values ​​in params .

When you do the assignment of yourself, it is also a “mass assignment”, in some way; but you have great control over what to appoint and what not in this case. Thus, in order to maintain a record of the code for the template code, Rails provides attr_accesible - the same control, less code.

To find out how it is used:

Suppose the ActivityLog model has the user_ip_address attribute.

user_ip_address is now an attribute in the model and can be assigned by mass assignment or "self-expanded mass assignment".

But in both cases this is not true - you do not want user input to set a value for this attribute.

Instead, you want to always find out the actual IP address of the user and assign it (ignoring any value in params ). That way you would exclude user_ip_address from attr_accessible and instead assign it yourself.

 attr_accessible :all_attributes_except_user_ip_address @al = ActivityLog.new(params[:model_object_params]) @al.user_ip_address = get_origin_user_ip_address @al.save

For any information that the user cannot change, use attr_accessible and remove it from the list.

+7
source

The short answer is that it stops field4 from implicit assignment.

The difference is that without attr_accessible hacker could update a field that is not in your form. With attr_accessible this is not possible.

eg. if your user model has an is_admin field, the hacker can try to create a new administrator by posting:

 params[:user][:is_admin] = true

If attr_accessible set (and obviously it should not contain is_admin ), this is not possible.

About your example: if your model has only field1 , field2 and field3 , and there are no other database columns that you want to protect, there is no need to use attr_accessible . Hope this is clear.

Just remember:

Without any precautions, Model.new (params [: model]) allows attackers to set any database columns to a value.

Source: http://guides.rubyonrails.org/security.html#mass-assignment

+3
source

The idea here is to limit the parameters that you accept for a given model. You can then check each of them either with validation or with a different code to make sure they match the expected values.

Attr_accessible is designed to limit the "surface" of your model to what you intend to accept and carefully verify. Thus, you can automatically ignore the entered parameter, for example: role => "admin" if you add this function to your model.

 user.update_attributes(params[:user])

Because the role attribute is not specified in attr_accessible, the user is trying to become a sterile administrator.

You want to process the verification logic in one place (your model) instead of checking each parameter value in the controller.

+2
source

Mass assignment is not what you prevent, it is what you control. This is a good feature that makes things easier and cleaner, but without any ability to control what is installed through mass use, it is a potential security hole. attr_accessible , as others have noted, provides control.

+2
source

Source: https://habr.com/ru/post/890975/

More articles:


All Articles