Having been a Rails Developer for 2-3 years now, I caught up on the news about Github’s mass assignment vulnerability
Mass assignment, which is supposed to be a feature(it still is), of Rails where in you could just set up a number of attributes in a hash and save them at once. This is specially handy when dealing with forms.
However, a malicious user can assign additional attributes to hash method thus making the application vulnerable to injection.
This problem wasn’t supposed to be an issue if only attr_accessible was used more frequently. You won’‘t be able to save anything unless you add the attribute in the attr_accessible method. This is a rails practice that should be done from the start.
Mass assignment was an issue solved quickly by the Rails community by making attr_accessible automatically set.
In CakePHP, the mass assignment could be a problem too.
If was tampered with it could potentially be dangerous.
The Model’s save method has a third parameter. In there we can set an array of fields that we should save. CakePHP will safely ignore any extra fields.
Voila! Mass assignment vulnerability foiled!
other PHP Frameworks
After receiving more information from DCoder, the phrase I was searching for here is a "mass assignment vulnerability." That is to say, taking advantage of the convenience of methods that would save all valid fields to the database, regardless of their presence on the initial form (making them vulnerable to manipulated POST data containing more [possibly more critical] fields than the intended ones).
The two common responses are then appropriately named whitelisting and blacklisting; whitelisting fields intended for modification, or blacklisting fields that should not be modified.
My question then follows: does CakePHP automatically whitelist only those fields in the submitting form, or is it necessary for me (and other Cake fans) to be careful that we are whitelisting or blacklisting appropriately?
Cake offers a lot of great ways to generate forms and handle them nearly automatically. As I was thinking about security, I got to wondering: is Cake aware of what fields existed in a form submitted, or will it simply accept any valid field? Take the following senario if I'm not making sense (and someone is welcome to edit my question to be better worded if they can think of a better way to express it):
Let's say I allow my users to edit their profile. I create a form which has fields for username, e-mail, and password, under the action .
A clever user wants to come in and change their field from to , so they use an app like firebug to submit custom post data to the action, which includes the field set to .
The question is, would Cake realize on it's own that was not in the original form, or do I need to be careful to explicitly specify the only fields which fields a given action can modify? Is there an easier way?