---
title: Avoid passing unfiltered user input to create_with
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid passing unfiltered user input to create_with
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Avoid passing unfiltered user input to create_with

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `ruby-security/create-with`

**Language:** Ruby

**Severity:** Error

**Category:** Security

**CWE**: [915](https://cwe.mitre.org/data/definitions/915.html)

## Description{% #description %}

The rule "Avoid passing unfiltered user input to create_with" is an important guideline in Ruby development that helps to ensure the security of your application. Strong parameters are a feature in Ruby on Rails which provides an interface for protecting attributes from end-user assignment. This means that it prevents an attacker from setting arbitrary attributes by manipulating the parameters passed to the model.

The `create_with` method, however, can bypass this protection when passed user-supplied params without .permit, potentially allowing an attacker to set attributes that should not be accessible. This enables mass assignment vulnerabilities, which can result in unauthorized access or data corruption.

To adhere to this rule and avoid these security risks, always ensure to use strong parameters with the `create_with` method. This can be done by using the `permit` method on the parameters before passing them to `create_with`. For example, instead of `user.articles.create_with(params[:content]).create`, use `user.articles.create_with(params[:content].permit(:slug, :date)).create`. This ensures that only the specified attributes can be set, protecting your application from potential attacks.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```ruby
user.articles.create_with(
    params[:article]
  ).find_or_create_by!(slug: slug)

Model.create_with(
    name: "hardcoded",
    role: params[:role]
  ).find_or_create_by!(uid: uid)
```

## Compliant Code Examples{% #compliant-code-examples %}

```ruby
user.articles.create_with(
    params[:article].permit(:slug, :date)
  ).find_or_create_by!(slug: slug)

Model.create_with(
    name: other_model.name,
    active: true
  ).find_or_create_by!(slug: slug)
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}
 