DEV Community

Akshay Khot
Akshay Khot

Posted on • Originally published at akshaykhot.com

Why You Need Strong Parameters in Rails

You've used the strong parameters in your Rails applications, but did you know what problem they are solving? I didn't. So did some reading and learned about a common security vulnerability. In this post, I will explain the Mass Assignment vulnerability and how you can use the Rails strong parameters API to address it.

Mass Assignment Vulnerability

What is it?

Mass Assignment means assigning values to multiple variable or object properties at a time.

Why is it bad?

Consider the following object:

user = {
  name: "Jason",
  company: "37signals",
  owner: true
}
Enter fullscreen mode Exit fullscreen mode

Now let's say we want to update the company's name to "Basecamp". The typical web-application way to do this would be to receive some data, preferably from a form submission from the user, and use that data to update our user's properties.

params = {
  # some data
  company: "Basecamp",
  # some data
}

user.update!(params)
Enter fullscreen mode Exit fullscreen mode

Boom! You are done. But wait, the next day, Jason comes to the office and realizes there's a new owner. He's not listed as the owner anymore of the company.

How did that happen?

The answer is the other properties in the params object above that I didn't list. Here's what the complete object looks like:

params = {
  name: "Jason",
  company: "Basecamp",
  owner: false
}
Enter fullscreen mode Exit fullscreen mode

Because the software updated all the properties of the user using the params hash in its entirety, the owner property was updated to false. As a result, Jason is not an owner anymore.

Now, of course, this is a very simple example to illustrate the problem. Of course, the web application is not foolish enough to ask whether the owner is indeed the owner on a front-end form that anyone can submit, and thankfully, Jason is still the owner.

But you get the idea. It's terrible to update the properties of an object from a source that we don't trust!

Mass assignment vulnerability occurs when your application assigns the data from a user input to multiple objects, variables, of database fields at once. Updating the object's properties allows an attacker to modify or overwrite the existing data.

In the comments, Jeremy gave a scary real-world example. In 2012 GitHub was compromized by this vulnerability. A GitHub user used mass assignment that gave him administrator privileges to none other than the Ruby on Rails project. As GitHub co-founder, Tom Preson-Werner later said,

"The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability,"

How to prevent it?

The solution is simple. Before you update any object, filter out only the properties you want and nothing else!

class UsersController < ActionController::Base
  def create
    User.create(user_params)
  end

  def update
    User.find(params[:id]).update_attributes!(user_params)
  end

  private
    def user_params
      params[:user].slice(:name, :company)
    end
end
Enter fullscreen mode Exit fullscreen mode

This pattern was so common that Rails released a plugin as well as a gem for it, and later versions of Rails (v4 onwards) provide it out of the box. Here's how it works:

Strong Parameters

The philosophy behind strong parameters is "assume unsafe until proven otherwise". In simple terms, Rails marks the parameters forbidden to be used in mass assignment until you explicitly mark them as safe.

How do you mark parameters as safe?

Using the require and permit methods on the params hash, which is an instance of ActionController::Parameters.

params.require(:client).permit(:name, :company)
Enter fullscreen mode Exit fullscreen mode

In the above code, we explicitly mark the client parameter as required using the require method, and only permit the name and company parameters inside the client. If the client parameter has an admin parameter, Rails won't allow you to use it in a mass assignment operation.

Let's open the Rails console by running bin/rails console and run some experiments:

params = ActionController::Parameters.new({
  client: {
    name: "Jason",
    company: "Basecamp",
    admin: true
  },
  user: {
    name: "David"
  }
})

=> #<ActionController::Parameters {"client"=>{"name"=>"Jason", ..}} permitted: false>
Enter fullscreen mode Exit fullscreen mode

Yes, you can simply create a params object on fly. You don't need to make a request from the browser to access it. Pretty cool, right?

Notice that the output of the above code was an object with the permitted property set to false. Now, let's mark the client parameter as required, only permitting the name and company parameters.

client_params = params.require(:client).permit(:name, :company)
=> #<ActionController::Parameters {"name"=>"Jason", "company"=>"Basecamp"} permitted: true>
Enter fullscreen mode Exit fullscreen mode

Note that after validating the parameters and allowing only the attributes we want, the result client_params has the permitted property set to true. The client_params parameter is now safe to use in a mass-assignment operation.

To permit an entire hash of parameters, use the permit! method.

params.require(:client).permit!
Enter fullscreen mode Exit fullscreen mode

Remember that the strong parameters are only validated when you try to use them to update the active model's properties. It won't prevent you from accessing the data.

> params
=> #<ActionController::Parameters {"client"=>#<ActionController::Parameters {"name"=>"Jason", "company"=>"Basecamp", "admin"=>true} permitted: false>, "user"=>{"name"=>"David"}} permitted: false>

# This works
params[:user]
=> #<ActionController::Parameters {"name"=>"David"} permitted: false>
params[:user][:name]
=> "David"

# This doesn't
User.update!(params[:user])
Enter fullscreen mode Exit fullscreen mode

Permit All Parameters

If you want to permit all parameters by default, Rails provides the permit_all_parameters option, which is false by default. If set to true, it will permit all the parameters (not recommended).

ActionController::Parameters.new
=> #<ActionController::Parameters {} permitted: false>

ActionController::Parameters.permit_all_parameters = true
=> true

ActionController::Parameters.new
=> #<ActionController::Parameters {} permitted: true>
Enter fullscreen mode Exit fullscreen mode

Take Specific Action for Unpermitted Parameters

You can also control the behavior when Rails finds the unpermitted parameters. For this, set the action_on_unpermitted_parameters property, which can take one of three values:

  • false to do nothing and continue as if nothing happened.
  • :log to log an event at the DEBUG level.
  • :raise to raise an ActionController::UnpermittedParameters exception.
params = ActionController::Parameters.new(name: "DHH")

### false ###
ActionController::Parameters.action_on_unpermitted_parameters = false
params.permit(:rails)
=> #<ActionController::Parameters {} permitted: true>

### log ###
ActionController::Parameters.action_on_unpermitted_parameters = :log
params.permit(:rails)
2022-05-17 18:39:23.099411 D [56269:4120 subscriber.rb:149] Rails -- Unpermitted parameter: name
=> #<ActionController::Parameters {} permitted: true>

### raise ###
ActionController::Parameters.action_on_unpermitted_parameters = :raise
params.permit(:rails)
=> #../metal/strong_parameters.rb:1002:in `unpermitted_parameters!': found unpermitted parameter: :name (ActionController::UnpermittedParameters)
Enter fullscreen mode Exit fullscreen mode

I hope you now have a better understanding of why strong parameters exist in Rails and how you can use them to build safe and secure applications. If you found this article useful, or have any questions, please let me know.

Discussion (6)

Collapse
jeremyf profile image
Jeremy Friesen

A great article, as always!

If you need a real world example: someone many years ago used the previous "weak" parameters to escalate their GitHub privileges to have be a moderator on the Rails project.

Collapse
software_writer profile image
Akshay Khot Author

Thanks, Jeremy!

Wow, I didn't know that. If you don't mind, I will update my post to include this example (with credits, of course!)

Collapse
jeremyf profile image
Jeremy Friesen
Collapse
ben profile image
Ben Halpern

I'm really enjoying your posts Akshay!

Collapse
software_writer profile image
Akshay Khot Author

Hey Ben, thanks a lot! Really appreciate the kind words, especially from you. Respect the work you've done to build this great community. :)