BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News GitHub Compromised by Mass Assignment Vulnerability

GitHub Compromised by Mass Assignment Vulnerability

This item in japanese

Bookmarks

GitHub was recently compromised by a vulnerability in Ruby on Rails know as mass assignment. This vulnerability is thought to not only affect a large number of Ruby-based websites, but also those using ASP.NET MVC and other ORM-backed web frameworks.

Mass assignment by itself is a safe and effective technique for mapping form data to objects. The equivalent in ASP.NET MVC, known as data binding, is likewise safe when used on its own. The actual vulnerability comes from the reckless mixing of mass assignment with an ORM.

Consider this scenario: a database contains a “user” table with a mixture of sensitive and non-sensitive data. Perhaps it has some columns for a user’s display name, email address, and whether or not they are an administrator. A developer wishes to build a screen that allows for editing the display name and email address. To do so they use Rails or MVC scaffolding to automatically generate the domain objects and possibly the view itself. Then they remove from the view any non-user editable fields like the “Is Administrator” checkbox.

A security hole is created if the developer forgets to also remove the IsAdministator property from the domain object. If they don’t do so, the mass assignment/data binder can be tricked into updating that property along with legitimate changes. When the record is then saved, the ORM libraries silently store the new values.

There are three tenable solutions to this problem:

  • Flag the non-updatable properties so that the mass assignment/data binder will ignore them.
  • Completely remove any properties on the business object that are not actually needed.
  • Create models specifically for receiving update requests and manually map them to the ORM object or stored procedure call.

It should be noted that this isn’t a new vulnerability. It is easy to find warnings about mass assignment from four or five more years ago with titles such as “Hackers Love Mass Assignment” and “Use attr_protected or we will hack you”. The only difference this time around is the high-profile nature of the victim.

Rate this Article

Adoption
Style

BT