Bear Den Designs

ActiveRecord.update_attributes has_many :security_holes, :through => :unkown_features

Among you railites who have successfully learned rails, watched tutorials, and generally feel comfortable about your abilities: Probably didn’t know there is a little security hole in your app.

It has to deal with update_attributes, has_many relationships, and a method made available on the parent in the relation.

Example:

class User < ActiveRecord::Base
  has_many :groups
end

In your view you have your pretty form with user’s name and other demographics they can enter in their profile. and a ‘save’ button that leads to a call to ‘update_attributes’.

The problem lies in the fact that has_many creates a method off your object called

 user.group_ids= 

Which allows you to pass in an array of ids and create associations en-mass.
the problem is that I can come in with firebug and add my own fields.

<!-- im in your html source adding my inputs -->
<input type="text" name="user[group_ids][]"/>
<input type="text" name="user[group_ids][]"/>
<input type="text" name="user[group_ids][]"/>

After filling those fields and submiting, if you inspect the params hash you will notice:
- “parent” => {…. “association_ids” => [“1”,“2”,“4”]}

And if you check your script/console and check the associations, they will be there assuming you have groups with id’s of 1,2, and 4.

The implications? If you use these groups for any kind of role based access, a user could assume a group with root/super/power user access!

The lesson?

Protect your attributes!

 attr_protected :group_ids 

But! a better idea would be to use:

 attr_accessible :name, :bio, :etc 

I hope this has helped you as much as it did me!

-TheHacker