Access to the dynamite store

Leave a comment

December 11, 2012 by Rob Nichols

Rails 4 is coming over the horizon, and I think one of the most welcome changes will be the inclusion of strong_parameters as standard.

One major web app security issue to be aware of occurs because most object creation and update http calls incorporate the passing to the server of a batch of changes. In rails these are bundled up into the params hash. To make processing the data efficient, the batch of data is handled in one step, for example via update_attributes. The danger is that someone will add unwanted attributes to the batch.

Consider someone sending {admin: true} within the batch of data used to create a new user.

To deal with this, attr_accessible was introduced. This adds a white list of parameters that can be used within batch update methods such as update_attributes.

The problem with attr_accessible is that as it is applied to the model, the white list acts everywhere the model is used; including places where the security is not needed. For example when your want to modify objects at the command console (rails c).

strong_parameters moves the control from the model to the controller. So the white list is applied where it needs to be, leaving behind the scenes operations to use batch commands such as update_attributes, as they are needed.

I’d recommend having a look at the strong_parameters README to see how it works:

https://github.com/rails/strong_parameters

One thing to note is that the two approaches to white listing, do not sit nicely side by side. It is a case of using one approach or the other. In rails 4, you will be able to switch off strong_parameters. This means that you will not have to refactor existing apps to remove attr_accessible when upgrading to rails 4.

However, I think the case for using strong_parameters over attr_accessible is compelling, and therefore would recommend that new apps use this approach.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: