Avoid create_with bypasses strong parameter protection

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: ruby-security/create-with

Language: Ruby

Severity: Error

Category: Security

CWE: 915

Description

The rule “Avoid create_with bypasses strong parameter protection” is an important guideline in Ruby development that helps to ensure the security of your application. Strong parameters are a feature in Ruby on Rails which provides an interface for protecting attributes from end-user assignment. This means that it prevents an attacker from setting arbitrary attributes by manipulating the parameters passed to the model.

The create_with method, however, can bypass this protection, potentially allowing an attacker to set attributes that should not be accessible. This can lead to serious security vulnerabilities in your application, such as unauthorized access or data corruption.

To adhere to this rule and avoid these security risks, always ensure to use strong parameters with the create_with method. This can be done by using the permit method on the parameters before passing them to create_with. For example, instead of user.articles.create_with(params[:content]).create, use user.articles.create_with(params[:content].permit(:slug, :date)).create. This ensures that only the specified attributes can be set, protecting your application from potential attacks.

Non-Compliant Code Examples

user.articles.create_with(params[:content]).create

Compliant Code Examples

user.articles.create_with(params[:content].permit(:slug, :date)).create
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: rtrieu/product-analytics-ui-changes