Why is this important?
Access Control is one of the most fundamental security requirements. Any problems with managing access control can allow attackers to bypass business logic and access data from other users.
Check out this video for a high-level explanation:
The most common way that access control issues manifest in Ruby on Rails is
through Mass Assignment issues. Mass assignment allows creating database
records from a hash. Since Ruby on Rails 4, the protection for mass
assignment is on by default and it's required to explicitly whitelist
parameters via permit. This still can be used insecurely, if the wrong
parameters are permitted. Additionally,
params.permit! would disable
this default security control.
Fixing Insecure Access Control
Option A: Remove
- Go through the issues that GuardRails identified in the PR.
params.permit!and make sure the correct parameters are permitted:
- Test it
- Ship it 🚢 and relax 🌴