Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Rails Related Security
Home
About this group
Join this group
DoS Risk to ActiveRecord Models Not Using attr_accessible
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Michael Koziarski  
View profile  
 More options Jul 19 2011, 5:50 pm
From: Michael Koziarski <mich...@koziarski.com>
Date: Wed, 20 Jul 2011 09:50:04 +1200
Local: Tues, Jul 19 2011 5:50 pm
Subject: DoS Risk to ActiveRecord Models Not Using attr_accessible
Print | Individual message | Show original | Report this message | Find messages by this author
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*This is not a code vulnerability but a best practice advisory*

There is a potential denial of service risk for ActiveRecord models
which don't use attr_accessible.  If attr_accessible is not used, it is
possible for an attacker to create arbitrary symbols. As memory used by
symbols cannot be garbage collected, this can lead to denial of service
by memory exhaustion.  Unfortunately send and respond_to? in the Ruby
interpreter create symbols from any string passed to them, so the only
reliable way to protect against this risk is to use attr_accessible.

All users should use attr_accessible in every model which can be updated
or created by untrusted users.

Detail
- ------

Active Record's mass attribute assignment functionality gives developers
a simple method to update a number of model attributes in a single call:

  @user.attributes = incoming_changes # hash of new values

The typical use-case for this is to take all the parameters from a  form
and update a model object.  Alongside this functionality Active Record
provides a mechanism for programmers to specify which attributes are
permitted to be assigned in this manner.

attr_accessible lets you specify a whitelist of attributes which can be
assigned, and attr_protected lets you specify a blacklist of forbidden
attributes.  For more information see the Mass Assignment section of the
Securing Rails Applications guide[1].

As mentioned in earlier advisories[2] almost every application should
use +attr_accessible+ for almost every model, there are very few cases
where it can be left out.  Because of this future releases of Ruby on
Rails may change the default to make it easier to avoid making mistakes.

Thanks to Jeremy Evans for reporting this issue to us and helping with
this advisory.

[1] http://guides.rubyonrails.org/security.html#mass-assignment
[2]
http://groups.google.com/group/rubyonrails-security/browse_thread/thr...

- --
Cheers,

Koz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4l/AwACgkQ3CszDRD2lfPbpACeMDgz/Q/dxL4BfpWZdxm1Mr8q
J0wAmQEFvc6DPHf3w0R+DWRzluqnMPDb
=NyS3
-----END PGP SIGNATURE-----

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Security" group.
To post to this group, send email to rubyonrails-security@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-security+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-security?hl=en.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google