
Rails security fixes 2.3.10, 3.0.1 released - aaronbrethorst
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
======
tptacek
This looks really bad.

The ActiveRecord ORM supports URL patterns that reference attributes across
associations. So if you have a "user" with a 1:1 relationship with an
"account", you can craft a URL with parameters that directly reference the
"account" for your "user".

It turns out Rails has special logic for the case where those parameters
include an "id": it looks like Rails will find _whatever account has that id,
update it, and associate it with the current user_.

~~~
keeran
Might be helpful to point out your alarmist statement assumes the scenario you
have described. FWIW I've never seen a user:account setup using nested
attributes in this way.

~~~
tptacek
Sorry, I had 2 minutes to type this up. I don't agree with _your_ reason why
this is alarmist (if you have "users" with "accounts", you care), but:

* you have to be doing mass assignments, and

* you have to have nested attribute assignments turned on.

It's bad, but I agree that it's not going to bite most apps.

Well, except for a bunch of these:

[http://github.com/search?q=accepts_nested_attributes_for&...](http://github.com/search?q=accepts_nested_attributes_for&type=Everything&repo=&langOverride=&start_value=1)

------
patio11
Please note: this only ruins your morning if you use
accepts_nested_attributes_for somewhere.

~~~
steveklabnik
And if you were running 2.3.9 or 3.0.0. (I've still got apps on 2.3.5)

~~~
gchpaco
2.3.5 may not necessarily be safe, just saying.

~~~
tptacek
2.3.5 does not attempt to gracefully handle the 'id' attribute when it doesn't
actually refer to the ActiveRecord ID of a live association. That "feature" is
what caused the bug, and it's as of 2.3.9.

------
gregwebs
You can actually accomplish something similar to this on an app that isn't
using attr_accessible (will probably work if they are using attr_protected).
From the Rails docs for has_many:

    
    
        collection_singular_ids=ids
        Replace the collection with the objects identified by the primary keys in ids
    

The full attack is still tricky. But if there are roles for users you can send
role_ids => [1] to become an admin.

