Mass Assignment Vulnerability
Description
The application permits attributes that could lead to mass assignment vulnerabilities. Permitting attributes such as `admin`, `role`, `banned`, etc., without proper authorization checks can lead to security issues like unauthorized access or privilege escalation.
Examples
Insecure Code
ruby
params.permit!(:admin, :role, :banned)Secure Code
ruby
def user_params
permitted = params.require(:user).permit(:name, :email)
permitted[:role] = params[:user][:role] if current_user.admin? && params[:user][:role].present?
permitted
endRemediation
Explicitly permit attributes, implement role-based permissions, and avoid using `params.permit!`. Use specific permit statements instead of permitting all parameters to ensure only expected attributes are allowed for mass assignment.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0542 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-915 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | mass assignment, ruby on rails |
| OWASP | A6:2017-Security Misconfiguration, A08:2021-Software and Data Integrity Failures |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/model-attr-accessible.yaml
- https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html