Why slicing the params hash poses a security issue on mass-assignment?

Asked 20/9, 2011 at 10:7 Answered 29/11, 2012 at 20:52

Solved ruby-on-rails ruby security mass-assignment strong-parameters

The official way of preventing security risks with mass-assignment is using attr_accessible. However, some programmers feel this is not a job for the model (or at least not only for the model). The simplest way of doing it in a controller is slicing the params hash:

@user = User.update_attributes(params[:user].slice(:name))

However the documentation states:

Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes won’t provide sufficient protection.

Why is that? Why a whitelist-slicing of params does not provide enough protection?

UPDATE: Rails 4.0 will ship strong-parameters, a refined slicing of parameters, so I guess the whole slicing thing was not so bad after all.

Inception answered 20/9, 2011 at 10:7 Comment(3)

Well for starters it's just an inconvenience. With attr_accesible you can use :name in your model if you need to (albeit it without saving it), but if you .slice it off the params hash you can't do that. It's also much more semantic to use attr_accesible because it tells others the properties relationship with the model, whereas slicing it is much more cryptic. – Voidance 20/9, 2011 at 10:11

@Alex: I understand that attr_accessible is a convenient way of managing mass-assignment. Ok, but what's the security hole of using params[:xyz].slice? – Inception 20/9, 2011 at 10:16

For the record, attr_accessible now states "Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes provides basically the same functionality, but it makes a bit tricky to deal with nested attributes." Also, see the Edge API for advance Rails 4 docs, and see strong_parameters plugin for what to use prior to Rails 4. – Pankey 15/5, 2013 at 2:17

The problem with slice and except in controller might occur in combination with accept_nested_attributes_for in your model. If you use nested attributes, you would need to slice parameters on all places, where you update them in controller, which isn't always the easiest task, especially with deeply nested scenarios. With using attr_accesible you don't have this problem.

Bartholomeo answered 7/3, 2012 at 9:52 Comment(1)

ah, nested attributes, it would be indeed an unpleasant work to filter the params in this case. – Inception 7/3, 2012 at 11:12

As of Rails 4, slicing the parameters will be the preferred method of dealing with mass assignment security. The Rails core team has already developed a plugin to deal with this now, and they are working on integrating support for nested attributes and signed forms. Definitely something to check out: http://weblog.rubyonrails.org/2012/3/21/strong-parameters/

Conscionable answered 23/3, 2012 at 12:55 Comment(1)

"The basic idea is to move mass-assignment protection out of the model and into the controller where it belongs.". Nice. – Inception 23/3, 2012 at 16:17

Interesting gist from DHH on slicing in controller vs whitelisting alone:

https://gist.github.com/1975644

class PostsController < ActionController::Base
  def create
    Post.create(post_params)
  end

  def update
    Post.find(params[:id]).update_attributes!(post_params)
  end

  private
    def post_params
      params[:post].slice(:title, :content)
    end
end

Comment reinforcing the need to manage this within the controller:

https://gist.github.com/1975644#gistcomment-88369

I personally apply both - attr_accessible with slice to ensure nothing unexpected gets through. Never rely on blacklisting alone!

Bolyard answered 29/11, 2012 at 20:52 Comment(0)

Just removing the :name from the params hash works to prevent setting that attribute for that action. It works only for the actions you remember protecting.

However, this practice doesn't protect you from abuse using all the methods automatically added for associations.

class User < ActiveRecord::Base
  has_many :comments
end

will leave you vulnerable for someone setting the comments_ids attribute, even when you delete the comments attribute from params.

Since there are quite a lot of methods added for associations, and since they might change in the future, the best practice is to protect your attributes on the model using attr_accessible. This will stop these kind of attacks most effectively.

Conscionable answered 20/9, 2011 at 10:31 Comment(7)

Hash#slice is used for whitelisting: {:comments_ids => [1,2,3], :name => 'hello'}.slice(:name) #=> {:name=>"hello"}. I really don't see what could possible go wrong with it (dangerous phrase :-)) – Inception 20/9, 2011 at 10:35

Anyway, as I said, I understand why attr_accessible is a good way to handle mass-assignment security. But I was curious what was wrong with a slice, what extra security provides attr_accessible? – Inception 20/9, 2011 at 10:41

attr_accessible protects your model in every action, all the time, without you having to remember putting it in each controller. – Conscionable 20/9, 2011 at 10:43

I appreciate your answer, all you wrote it's true, but I am not sure that the docs saying "it won’t provide sufficient protection" means "it's not secure because you may forgive to put it". – Inception 20/9, 2011 at 12:41

I'm with @Inception here - can't understand how Hash#slice could be less secure than attr_accessible. And if you forgot about Hash#slice... well, then forgetting about Hash#slice is insecure, and not the Hash#slice itself. – Spradlin 1/12, 2011 at 14:48

Hash#slice would be used to keep specific params, not delete them, so your example doesn't really work – Foliolate 12/3, 2012 at 22:25

As of Rails 4, slicing the parameters will become the preferred method to deal with this. weblog.rubyonrails.org/2012/3/21/strong-parameters – Conscionable 23/3, 2012 at 12:54

@tokland your last comment is not correct to some extend. Unless your website has the browser as the only entry point where data comes in and goes out.

If your webapp has an API or communicates with other API's protection on the controller level leaves holes behind it and all data from other sources is not sanitised or checked. I recommend keeping the things as they are, turning on mass-assignment protection in application.rb and advancing ActiveSupport FormHelpers to work like Django/Python style.

Diagenesis answered 3/5, 2012 at 15:27 Comment(3)

which one of my comments? I wrote a lot of them in this page :-) Anyway, I don't see the diferrence between having an API or a browser form. Of course the whole point is to avoid the user updating attributes he is not supposed to by tampering attributes. – Inception 3/5, 2012 at 16:35

@Inception The one where you say "The basic idea is to move mass-assignment protection out of the model and into the controller where it belongs." – Diagenesis 21/5, 2012 at 19:43

It's a quote from the linked article. But I agree, now I see this as a task for both the model and the controller. – Inception 6/3, 2013 at 14:6

Recommended topics

Hot tags