This warning type only applies to Ruby on Rails applications which are not using strong parameters.
Note that disabling mass assignment globally will suppress these warnings.
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for
attr_accessible inside model definitions. If it is not found, this warning will be issued.
Use of Blacklist
Brakeman also warns on use of
attr_protected - especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using
attr_protected will be reported, but at a lower confidence level.
For newer Ruby on Rails applications, query parameters should be whitelisted before use via strong parameters.
For older Ruby on Rails applications, each model should use
attr_accessible to carefully whitelist which attributes may be set via mass assignment, if any.
Back to Warning Types