brakeman icon indicating copy to clipboard operation
brakeman copied to clipboard

Published 20 hours ago verified publisher icon presidentbeef

Trigger Mass Assignment rule on other foreign keys than account_id

Open Owpac-doctolib opened this issue 3 years ago • 1 comments

Is your feature request related to a problem? Please describe. In order to improve IDOR prevention, it would be interesting to be able to add foreign keys that could trigger warnings from the mass assignment rule.

Describe the solution you'd like One way to solve it would be to introduce a new flag, e.g. --mass-assignment-match customer_id, role_id, card_id This way, whenever there is params.permit(:customer_id) or params.permit(:role_id) it will also trigger a warning as for account_id.

Owpac-doctolib avatar Feb 21 '22 16:02 Owpac-doctolib

https://github.com/presidentbeef/brakeman/issues/1144 has some background about when checking all *_id was tried.

nikolai-b avatar Feb 23 '24 14:02 nikolai-b