DoS Risk to ActiveRecord Models Not Using attr_accessible

179 views

Skip to first unread message

Michael Koziarski

unread,

Jul 19, 2011, 5:50:04 PM7/19/11

to rubyonrail...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*This is not a code vulnerability but a best practice advisory*

There is a potential denial of service risk for ActiveRecord models
which don't use attr_accessible. If attr_accessible is not used, it is
possible for an attacker to create arbitrary symbols. As memory used by
symbols cannot be garbage collected, this can lead to denial of service
by memory exhaustion. Unfortunately send and respond_to? in the Ruby
interpreter create symbols from any string passed to them, so the only
reliable way to protect against this risk is to use attr_accessible.

All users should use attr_accessible in every model which can be updated
or created by untrusted users.

Detail
- ------

Active Record's mass attribute assignment functionality gives developers
a simple method to update a number of model attributes in a single call:

@user.attributes = incoming_changes # hash of new values

The typical use-case for this is to take all the parameters from a form
and update a model object. Alongside this functionality Active Record
provides a mechanism for programmers to specify which attributes are
permitted to be assigned in this manner.

attr_accessible lets you specify a whitelist of attributes which can be
assigned, and attr_protected lets you specify a blacklist of forbidden
attributes. For more information see the Mass Assignment section of the
Securing Rails Applications guide[1].

As mentioned in earlier advisories[2] almost every application should
use +attr_accessible+ for almost every model, there are very few cases
where it can be left out. Because of this future releases of Ruby on
Rails may change the default to make it easier to avoid making mistakes.

Thanks to Jeremy Evans for reporting this issue to us and helping with
this advisory.

[1] http://guides.rubyonrails.org/security.html#mass-assignment
[2]
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/42c4d5d3b7354735

- --
Cheers,

Koz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4l/AwACgkQ3CszDRD2lfPbpACeMDgz/Q/dxL4BfpWZdxm1Mr8q
J0wAmQEFvc6DPHf3w0R+DWRzluqnMPDb
=NyS3
-----END PGP SIGNATURE-----

Reply all

Reply to author

Forward

0 new messages