This SVN repository is no longer active! The project has been MOVED to GitHub:

http://github.com/ryanlowe/audit_mass_assignment

The audit_mass_assignment Ruby on Rails plugin contains a rake task that checks the models in your project for the attr_accessible whitelist approach for protecting against "mass assignment" exploits. It does not check for use of attr_protected!

If a Rails model does not use attr_accessible, it fails this audit. The audit does not check which parameters are accessible or protected, only that at least one is marked as accessible.

You can run the audit periodically to make sure all of your project's models use attr_accessible. Other audit plugins for Rails could be created to automatically check for bad patterns or insecure code. This one was relatively easy.

./script/plugin install http://audit-mass-assignment.googlecode.com/svn/trunk/audit_mass_assignment/$ rake audit:mass_assignmentIf you want to protect ALL attributes use:

attr_accessible nilWhy are "mass assignment" exploits a danger to Rails applications? See these links:

1. rorsecurity.info: Do not create records directly from form parameters

2. Railscasts: Hackers Love Mass Assignment

3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters