Login/Register
Does CakePHP automatically deal with mass assignment vulnerabilities when saving modified data?
Asked Answered
Solved securitycakephpcakephp-2.0mass-assignment
W

2

8

Edit:

After receiving more information from DCoder, the phrase I was searching for here is a "mass assignment vulnerability." That is to say, taking advantage of the convenience of methods that would save all valid fields to the database, regardless of their presence on the initial form (making them vulnerable to manipulated POST data containing more [possibly more critical] fields than the intended ones).

The two common responses are then appropriately named whitelisting and blacklisting; whitelisting fields intended for modification, or blacklisting fields that should not be modified.

My question then follows: does CakePHP automatically whitelist only those fields in the submitting form, or is it necessary for me (and other Cake fans) to be careful that we are whitelisting or blacklisting appropriately?

Original Question:

Cake offers a lot of great ways to generate forms and handle them nearly automatically. As I was thinking about security, I got to wondering: is Cake aware of what fields existed in a form submitted, or will it simply accept any valid field? Take the following senario if I'm not making sense (and someone is welcome to edit my question to be better worded if they can think of a better way to express it):

Let's say I allow my users to edit their profile. I create a form which has fields for username, e-mail, and password, under the action edit.

A clever user wants to come in and change their is_admin field from false to true, so they use an app like firebug to submit custom post data to the edit action, which includes the field is_admin set to true.

The question is, would Cake realize on it's own that is_admin was not in the original form, or do I need to be careful to explicitly specify the only fields which fields a given action can modify? Is there an easier way?

Thank you!

James

Willdon answered 5/5, 2012 at 3:3 Comment(2)
This is known as "mass assignment" and recently it made headlines when it was used to "hack" GitHub. Normally the solution to this is whitelisting the fields which can be mass-assigned.Portis
@DCoder, thank you, having the actual name helps a lot. I will modify the question to reflect that information.Willdon
K
4

You have to load the SecurityComponent in your controller(s) and CakePHP will prevent form tampering for you, see http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#form-tampering-prevention

Kimmi answered 5/5, 2012 at 5:26 Comment(7)
I also advice you (xtraorange) to read dereuromark.de/2010/09/21/saving-model-data-and-securityHypaethral
That's very helpful (both of you). @Hypaethral - I read through the article and found it addressed all the issues I've been thinking on (and one I hadn't considered). I noticed the article was a little dated and I'm not sure when you last updated it: what's you're feeling on the security component at this point? If I were to use it, what would I need to still watch for?Willdon
So including Security Component in the AppController will protect any form from tampering? Do you know the performance hit from this?Aneroid
yes, security component will take care of pretty much all of it automatically. the performance is pretty much the same (not really visible compared to the overall loading time).Hypaethral
@Hypaethral If using the security component, is there anything I still need to make note of and prevent (I know PKs was one of them before, but since you wrote the article it's been a couple years, so I wasn't sure what had changed).Willdon
no, usually not. the article focuses on the things that need to be done without it (if you use ajax or for some other reason cannot use the security component).Hypaethral
Great, well that definitely gives me a clear and easy solution. I can't believe this isn't brought up in any of the tutorials... this should be one of the first things mentioned about the models. Anyway thank you for the help, and your extremely useful website (which really has a lot of a great CakePHP reference material).Willdon
L
-2

CakePHP has built in validation option available. The Form automatically generate the fields and do validation based on the validation criteria you have mentioned in the model. This validation will be called automatically before the Save method.

Also if you want to add some custom validation, you can add that in the model.

With your specific query you can remove the is_admin field from the edit form so that it won't be editable to the user. If you want to add more security and make sure that the is_admin field has false value you can edit its value in the controllers edit method.

In the edit method you can add the following code before calling the Save action.
$this->request->data['ModelName']['is_admin] = false;

Liam answered 5/5, 2012 at 4:13 Comment(4)
Well, I'm not referencing validation. I do understand cake validation, but I don't think that applies here. As far as is_admin, that's really just an example. The point is that I'm wondering if a user wanted to change whatever they like, regardless of if I intended it to be changeable, for any model that they have the ability to modify anything on. So how do I prevent that?Willdon
What you can do is make the field disabled in the edit page which you don't want the user to edit it. Even you think the user may tamper the data using firebug you can rewrite the original data before Save method in the controllers edit action. $this->request->data['ModelName']['is_admin] = false;Liam
Unfortunately, this isn't really something I could apply on a full scale. If I was concerned for just one field, certainly, particularly if I knew it's expected contents. But I'm looking at an application-wide scenario based off the modeled example; many many fields with this same issue, different user levels with different rights, etc. Perhaps specifying an example was a bit confusing, I've clarified my question, hopefully that helps. Thanks for your inputWilldon
I don't think this is a very good way to deal with these issues. Set allowable attributes to whitelist and/or use the security components (as indicated by the other answers)Elise

© 2022 - 2024 — McMap. All rights reserved.