Skip to main content

Rails: Configuring Admins, Checkboxes, and attributes= Vulnerabilites

I'm using acl_system2 together with authlogic to provide ACLs for my Rails app.

I wanted to provide a list of checkboxes so that an admin can configure the list of roles assigned to a user. Since Rails really prefers to work with one model per form, and the list roles are separate from the user record itself, it took me a while to figure out how to do this. Thankfully, I found this post which showed me how to do it. The code looks like:
<% restrict_to "admin" do %>
<p>
<%= form.label :role_ids, "Roles" %>
<% Role.all.sort.each do |role| %>
<% field_id = "role_#{role.id}" %>
<br />
<%= check_box_tag "user[role_ids][]", role.id, @user.role_ids.include?(role.id), {:id => field_id} %>
<%= label_tag field_id, h(role.title) %>
<% end %>
</p>
<% end %>
Without any changes to my controller, it just worked. However, that worried me.

I suddenly realized that if you give a user access to edit a record from ModelA and ModelA has_and_belongs_to_many ModelB, then a user can hack his form to pick which records from ModelB he has. I.e., my app was totally insecure--and, probably, so was everyone else's! I started freaking out ;)

Fortunately, the guys on the SF Ruby mailing list showed me this blog post. Apparently, I was right. It's a huge security vulnerability that even the third edition of "Agile Web Development with Rails" doesn't cover very well.

After analyzing all the options, I created config/initializers/disable_mass_assignment.rb with:
# Force every model to make use of attr_accessible.
# See: http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment
ActiveRecord::Base.send(:attr_accessible, nil)
Then, I added calls to attr_accessible in my models like:
attr_accessible :username, :email, :first_name, :last_name, ..., :password, :password_confirmation
I ran my tests, and I ended up with this ugly error message:
Mysql::Error: Column 'session_id' cannot be null: INSERT INTO `sessions` (`data`, `created_at`, `updated_at`, `session_id`) VALUES('BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo\nSGFzaHsABjoKQHVzZWR7AA==\n', '2009-07-29 19:08:46', '2009-07-29 19:08:46', NULL) (ActiveRecord::StatementInvalid)
It took me a while to figure it out, but finally I stumbled across this blog post. I added the following to the bottom of config/initializers/disable_mass_assignment.rb:
ActiveRecord::Base.send(:attr_accessible, :session_id)
That fixed it.

I had to fix a few remaining issues, usually by tweaking the attr_accessible calls in my models. Finally, my code that would allow an admin to create another admin broke, because attr_accessible wasn't allowing access to role_ids. That was a good sign ;) I tweaked the controller like:
def update
restrict_to "admin" do
@user.role_ids = params[:user][:role_ids] || []
end
if @user.update_attributes(params[:user])
...
I even wrote the following Cucumber test to verify that everything worked:
Scenario: a user cannot hack his form to trick Rails into making him an admin
Given I am logged in as admin
When I follow "My Account"
And I follow "Edit"
And I check "admin"
And I check "subscriber"
And someone else strips me of my admin role
And I press "Update"
Then I should not see "Roles"
And I should not see "admin, subscriber"
Voila! All is happy in Rails land again!

Comments

jjinux said…
By the way, I decided not to use the approach of controlling which params my controllers can see, which is used by this plugin: http://github.com/cjbottaro/param_protected/tree/master.

There are many times where I want a controller to have access to certain params, I just don't want them assigned in a call to attributes=.

On the other hand, I can definitely appreciate the approach the plugin takes. I like the idea of different actions restricting access to different model attributes.
jjinux said…
Here's another very well thought-out post on the subject: http://missioncriticallabs.com/blog/2009/08/mass-assignment-and-security-in-ruby-on-rails/

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python . Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening. The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for B

Ubuntu 20.04 on a 2015 15" MacBook Pro

I decided to give Ubuntu 20.04 a try on my 2015 15" MacBook Pro. I didn't actually install it; I just live booted from a USB thumb drive which was enough to try out everything I wanted. In summary, it's not perfect, and issues with my camera would prevent me from switching, but given the right hardware, I think it's a really viable option. The first thing I wanted to try was what would happen if I plugged in a non-HiDPI screen given that my laptop has a HiDPI screen. Without sub-pixel scaling, whatever scale rate I picked for one screen would apply to the other. However, once I turned on sub-pixel scaling, I was able to pick different scale rates for the internal and external displays. That looked ok. I tried plugging in and unplugging multiple times, and it didn't crash. I doubt it'd work with my Thunderbolt display at work, but it worked fine for my HDMI displays at home. I even plugged it into my TV, and it stuck to the 100% scaling I picked for the othe

Creating Windows 10 Boot Media for a Lenovo Thinkpad T410 Using Only a Mac and a Linux Machine

TL;DR: Giovanni and I struggled trying to get Windows 10 installed on the Lenovo Thinkpad T410. We struggled a lot trying to create the installation media because we only had a Mac and a Linux machine to work with. Everytime we tried to boot the USB thumb drive, it just showed us a blinking cursor. At the end, we finally realized that Windows 10 wasn't supported on this laptop :-/ I've heard that it took Thomas Edison 100 tries to figure out the right material to use as a lightbulb filament. Well, I'm no Thomas Edison, but I thought it might be noteworthy to document our attempts at getting it to boot off a USB thumb drive: Download the ISO. Attempt 1: Use Etcher. Etcher says it doesn't work for Windows. Attempt 2: Use Boot Camp Assistant. It doesn't have that feature anymore. Attempt 3: Use Disk Utility on a Mac. Erase a USB thumb drive: Format: ExFAT Scheme: GUID Partition Map Mount the ISO. Copy everything from