Web Development

Having been a Rails Developer for 2-3 years now, I caught up on the news about Github’s mass assignment vulnerability

Mass Assignment

Mass assignment, which is supposed to be a feature(it still is), of Rails where in you could just set up a number of attributes in a hash and save them at once. This is specially handy when dealing with forms.

However, a malicious user can assign additional attributes to hash method thus making the application vulnerable to injection.

Solution

This problem wasn’t supposed to be an issue if only attr_accessible was used more frequently. You won’‘t be able to save anything unless you add the attribute in the attr_accessible method. This is a rails practice that should be done from the start.

Mass assignment was an issue solved quickly by the Rails community by making attr_accessible automatically set.

CakePHP

In CakePHP, the mass assignment could be a problem too.

if ($this->User->save($this->request->data)) {
    // do some saving
}

If $this->request->data was tampered with it could potentially be dangerous.

if ($this->User->save($this->request->data, true, array('id', 'username', 'password')) {
    // do some saving
}

The Model’s save method has a third parameter. In there we can set an array of fields that we should save. CakePHP will safely ignore any extra fields.

Voila! Mass assignment vulnerability foiled!

other PHP Frameworks