Unprotected Mass Assignment

Description

Using `:without_protection => true` during mass assignment allows users to bypass permissions protections, making the application vulnerable to unauthorized access or data manipulation.

Examples

Insecure Code

ruby

User.new(params[:user], :without_protection => true)

Secure Code

ruby

class User < ActiveRecord::Base
  attr_accessible :name, :email
end

Remediation

Configure `attr_accessible` to control attribute access instead of using `:without_protection => true`

Rule Details

Field	Value
ID	CODE-0543
Category	Injection
Severity	MEDIUM
CWE	CWE-915
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	mass assignment, attribute access
OWASP	A6:2017-Security Misconfiguration, A08:2021-Software and Data Integrity Failures

References

https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/unprotected-mass-assign.yaml
https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Unprotected Mass Assignment

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Unprotected Mass Assignment ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Unprotected Mass Assignment

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References