Avoid create_with bypasses strong parameter protection
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: ruby-security/create-with
Language: Ruby
Severity: Error
Category: Security
CWE: 915
Description
The rule “Avoid create_with bypasses strong parameter protection” is an important guideline in Ruby development that helps to ensure the security of your application. Strong parameters are a feature in Ruby on Rails which provides an interface for protecting attributes from end-user assignment. This means that it prevents an attacker from setting arbitrary attributes by manipulating the parameters passed to the model.
The create_with
method, however, can bypass this protection, potentially allowing an attacker to set attributes that should not be accessible. This can lead to serious security vulnerabilities in your application, such as unauthorized access or data corruption.
To adhere to this rule and avoid these security risks, always ensure to use strong parameters with the create_with
method. This can be done by using the permit
method on the parameters before passing them to create_with
. For example, instead of user.articles.create_with(params[:content]).create
, use user.articles.create_with(params[:content].permit(:slug, :date)).create
. This ensures that only the specified attributes can be set, protecting your application from potential attacks.
Non-Compliant Code Examples
user.articles.create_with(params[:content]).create
Compliant Code Examples
user.articles.create_with(params[:content].permit(:slug, :date)).create