ruby on rails - False Warning for mass assignment is thrown by Brakeman Gem in model.new and model.update_attibutes and model.create -

mass assignment feature of rails allows application create record values of hash. there 2 different mass assignment warnings can arise. first when mass assignment occurs. example:-

user.new(params[:user]) 

although not using hash directly map fields available in table. instead doing like:

user.new(:first_name => params[:first_name], :last_name => params[:last_name ], :address => params[:address]) 

or

user.update_attributes(:first_name => params[:first_name], :last_name => params[:last_name ], :address => params[:address]) 

why leading mass assignment vulnerability? not blindly assigning hash, selectively updating few of attributes of table.

one fix doing following:

user = user.new user.first_name = params[:first_name] user.last_name = params[:last_name ], user.address = params[:address] user.save 

but writing unnecessary code, brakeman not alerting issue. doing same thing in 4 lines instead of single line.

can please make me understand actual issue here or confirm false alert , there way can prevent false alert appear?

i using ruby 1.8.7, rails 2.3.2, brakeman 3.0.5

it possible have mass assignment issues values due accepts_nested_attributes_for. however, if not using accepts_nested_attributes_for false positive.

notice brakeman returns "weak" confidence warning code. of brakeman's "weak" confidence warnings, code should take @ isn't issue.

you can use brakeman's ignore configuration ignore false positives. can ignore weak confidence warnings running brakeman -w 2. it's possible turn off mass assignment warnings -x massassignment not recommend since running ancient (and vulnerable) version of rails.