Ruby Rails Mass Assignment
Description
Detects unsafe mass assignment in Ruby on Rails applications where the permit! method is used to allow unrestricted parameter assignment. This vulnerability can lead to unauthorized modification of model attributes by malicious users who can override sensitive fields like admin status or account balances.
Detection Strategy
• Look for calls to permit! method on params object in controller actions
• Verify the code is within a class that inherits from ApplicationController
• Check if params is accessed through method invocation (params.permit!), element access (params[...].permit!), or direct symbol lookup
• Flag any occurrence where permit! is called without explicit attribute whitelisting
Vulnerable code example
class UsersController < ApplicationController
def create
# Vulnerable: Using permit! allows mass assignment of ANY attribute
@user = User.new(params[:user].permit!)
if @user.save
redirect_to @user
else...✅ Secure code example
class UsersController < ApplicationController
def create
# Secure: Explicitly whitelist only allowed attributes
@user = User.new(user_params)
if @user.save
redirect_to @user
else...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.