Divya
Joined: 14 Sep 2009
Posts: 57
|
 Posted: Mon Dec 07, 2009 11:51 am Post subject: audit_mass_assignment plugin. |
 |
|
--------------audit_mass_assignment plugin.-----------------------
This "audit_mass_assignment " plugin contains a rake task that
checks the models in your project for the attr_accessible whitelist approach
for protecting against "mass assignment" exploits. It does not check for
use of attr_protected.
To use this plugin in our application we need to do the following setps:
Step1:
Install the plugin or a gem
gem install ryanlowe-audit_mass_assignment or u can download the plugin from
http://github.com/ryanlowe/audit_mass_assignment
Step2:
Then run in your terminal as
rake audit:mass_assignment
Step 3:
If you get an error as above :
Audit mass assignment in models:
rake aborted!
uninitialized constant CGI::Session.
So then go to vendors/plugins/lib/audit_mass_assignment.rb file
There you can see a line no 11,
--subclasses.delete CGI::Session::ActiveRecordStore::Session
So replace this line to
--subclasses.delete ActionController::Session
Because for latest version the CGI::Session is the child class for ActionController .
Step 4:
Then place in your model as
attr_accessible :title, :description
What ever fields you want to protect
Step 5:
Then run rake audit:mass_assignment
So you can check your models in your project for the attr_accessible whitelist approach
for protecting against "mass assignment" exploits.
This looks in your terminal as
Audit mass assignment in models:
F
1) Event
2) Cal
3) Admin
4) Link
Solution: use attr_accessible in these models
6 models, 4 failures
Here 4 failures means that those models have not specified "attr_accessible" . So that that model attributes have not been protected.So there may be a chances to hack those attributes.
---- attr_accessible usage:------
You should not create or update records directly from parameters!
Ex:
@user = User.new(params[:user])
This is mass assignment. It is creating a new user object from all the attributes assigned to :user
<% form_for @user do |f| %>
<%= f.text_field :name %>
<%= f.text_field :email %>
...
All the attributes from this parameters hash with be be used in creating a new user model. If your user table contains an admin field. The ‘attacker’ can submit a post, setting admin = true.
<% form for @user do |f| %>
<%= f.text_field :name %>
<%= f.text_field :email %>
<%= f.text_field :admin, :value => true %>
...
How can we prevent this ?
We need to only allow “safe” attributes from being mass assigned.
You might think it’s easier to specify which attributes should be restricted, but remember foreign keys are also susceptible to mass assignment.
So we are rather going to set the attributes that are allowed, rather than restricted. The rest we will have to assign individually.
In this example you would add to your model:
attr_accessible :name, email
You should explicitly set which attributes are allowed in every model. It will fail on every model that does not include attr_accessible.As explain below.
Thank You,
Divya. |
|
