You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 17, 2020. It is now read-only.
simplabs edited this page Aug 13, 2010
·
2 revisions
This check reports ActiveRecord models that specify attr_protected. Like attr_accessible, attr_protected is a helper to secure ActiveRecord models against mass assignment attacks (see http://guides.rubyonrails.org/security.html#mass-assignment), but instead of specifying a white list of properties that are writeable by mass assignments as attr_accessible does, attr_protected specifies a black list. Such a black list approach is usually less secure since the list has to be updated for every new property that is introduced, which is easy to forget.