Is this your first visit? You may want to subscribe to the feed.

acts_as_audited security update

Thanks to Michael Schuerig for pointing out that malicious users could unassociate your audit records due to the use of has_many in acts_as_audited. has_many :audits creates an attribute accessor called audit_ids on the model objects that you declare acts_as_audited, which could allow users to pass an array of ids that would overwrite the actual audit records.

This has been fixed by adding attr_protected :audit_ids, which protects it from mass assignment. If you’re not using SVN externals, make sure you get the latest version.

Related Articles

Code: acts_as_audited, plugin, rails, ruby, security Sep 07, 2006 ● updated Dec 01, 2006 2 comments

2 comments

  1. it appears that the introduction of the attr_protected :audit_ids, wreaks havoc on my test suite. When the acts_as_audited plugin is used in conjunction with the restful_authentication plugin (and you are auditing the User model), all of the tests bomb with the following error:

    RuntimeError: Declare either attr_protected or attr_accessible for User, but not both.

    If I comment out the attr_protected :audit_ids line in the acts_as_audited.rb file, then the errors go away. I am trying to figure out a way to fix this without leaving the security hole mentioned above, but I wanted to throw this out there to see if anyone else had run into this, and could offer a possible solution.

    Zac Zac June 25, 2008 at 06:20 PM

  2. Zac,

    It isn’t just a test stopper. I have a model to audit that bombs in the run because it has several attr_accessible attributes.

    FrankL FrankL August 01, 2008 at 12:26 PM

Speak your mind:

*

*


* I hate spam and will never sell or publish your email address.

(You may use textile in your comments.)

Subscribe

Browse by Tag