Insecure Access Control

Why is this important?

Access Control is one of the most fundamental security requirements. Any problems with managing access control can allow attackers to bypass business logic and access data from other users.

Check out this video for a high-level explanation:

Access Control Issues

The most common way that access control issues manifest in Ruby on Rails is through Mass Assignment issues. Mass assignment allows creating database records from a hash. Since Ruby on Rails 4, the protection for mass assignment is on by default and it's required to explicitly whitelist parameters via permit. This still can be used insecurely, if the wrong parameters are permitted. Additionally, params.permit! would disable this default security control.

Fixing Insecure Access Control

Option A: Remove params.permit!

  1. Go through the issues that GuardRails identified in the PR.
  2. Remove params.permit! and make sure the correct parameters are permitted:

     User.new(params.permit(:name, :password))
    
  3. Test it

  4. Ship it 🚢 and relax 🌴

More information: