This warning type only applies to Ruby on Rails applications which are not using strong parameters.

Note that disabling mass assignment globally will suppress these warnings.

Missing Protection

This warning comes up if a model does not limit what attributes can be set through mass assignment.

In particular, this check looks for attr_accessible inside model definitions. If it is not found, this warning will be issued.

Use of Blacklist

Brakeman also warns on use of attr_protected - especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected will be reported, but at a lower confidence level.

Suggested Remediation

For newer Ruby on Rails applications, query parameters should be whitelisted before use via strong parameters.

For older Ruby on Rails applications, each model should use attr_accessible to carefully whitelist which attributes may be set via mass assignment, if any.

Back to Warning Types