I like Nick Kallens idea but to continue with ideas: Yehuda Katz talked about pushing property authorization to the controller or model: https://gist.github.com/1974187 .
This exploit is particularly concerning for those writing REST APIs where your users are assuredly technically literate. Are you verifying all your properties? Xavier On Mon, Mar 5, 2012 at 5:48 PM, Neal Clark <[email protected]> wrote: > i liked nick kallens idea on making it a "framework thing" > > https://twitter.com/#!/nk/status/176466894876966912 > https://twitter.com/#!/nk/status/176467242735775744 > > > On Mar 5, 2012, at 5:40 PM, Chris McCann wrote: > > > A developer used the Rails mass assignment vulnerability to basically > > give himself push access to any Github repo. He claims he made Github > > aware of the problem before taking action to highlight it. > > > > Here's an article about it: > > > > > http://www.h-online.com/open/news/item/GitHub-security-incident-highlights-Ruby-on-Rails-problem-1463207.html > > > > The take-away: make sure you're not leaving your Rails apps open to > > exploit this way. Be sure to use attribute white-lists or black-lists > > to protect assignment that could give users elevated privileges or > > access to other users' stuff. > > > > See the Rails Security Guide > http://guides.rubyonrails.org/security.html#mass-assignment. > > > > Cheers, > > > > Chris > > > > -- > > SD Ruby mailing list > > [email protected] > > http://groups.google.com/group/sdruby > > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
