acts_as_audited security update

acts_as_audited | plugin | rails | ruby | security September 07 2006

Thanks to Michael Schuerig for pointing out that malicious users could unassociate your audit records due to the use of has_many in acts_as_audited. has_many :audits creates an attribute accessor called audit_ids on the model objects that you declare acts_as_audited, which could allow users to pass an array of ids that would overwrite the actual audit records.

This has been fixed by adding attr_protected :audit_ids, which protects it from mass assignment. If you’re not using SVN externals, make sure you get the latest version.

posted by brandon | updated December 1st 01:03 AM
comments feed

2 comments

  1. it appears that the introduction of the attr_protected :audit_ids, wreaks havoc on my test suite. When the acts_as_audited plugin is used in conjunction with the restful_authentication plugin (and you are auditing the User model), all of the tests bomb with the following error:

    RuntimeError: Declare either attr_protected or attr_accessible for User, but not both.

    If I comment out the attr_protected :audit_ids line in the acts_as_audited.rb file, then the errors go away. I am trying to figure out a way to fix this without leaving the security hole mentioned above, but I wanted to throw this out there to see if anyone else had run into this, and could offer a possible solution.

    Zac Zac
    June 25, 2008 at 06:20 PM

  2. Zac,

    It isn’t just a test stopper. I have a model to audit that bombs in the run because it has several attr_accessible attributes.

    FrankL FrankL
    August 01, 2008 at 12:26 PM

Speak your mind:

(Required)

(Required)


(You may use textile in your comments.)

About

I'm Brandon Keepers, a web application developer that likes beautiful code, valid markup and adherence to standards. As a part of Collective Idea in Holland, Michigan, I practice Agile software development primarily using Ruby on Rails.

-86.103171 42.785037

Contact:

more ยป

Links

Syndicate