Mass assignment and security
Mass assignment of attributes is a way in which we can assign multiple attributes of an object directly. Typically, the parameter hash params can be used directly to update the object. For example:
# params: { name: "Gautam", age: 35}
User.update_attributes(params)But, what happens if someone updates information that should not have been part of params? What if someone inserted information such as password: "something" into the params hash? It will update the User object and create havoc.
That's exactly what happened.
Note
Early in 2012, Egor Homakov hacked github.com using this mass assignment Rails vulnerability. He was kind enough not to cause any harm and his intention was only to highlight the Rails' vulnerability of mass assignment.
He posted his own SSH key into the Rails core team user as a mass assignment, and it worked! He had full access to the repository after that. He highlighted that mass assignment is dangerous.
To protect against mass assignment, Rails...
