Fix Mass Assignment in Cuba

Mass Assignment in Cuba occurs when raw request parameters are piped directly into model setters or database update methods. Since Cuba is a micro-framework that stays out of your way, it lacks the 'Strong Parameters' safety net found in Rails. If you blindly pass `req.params` to your ORM, attackers can overwrite sensitive fields like `is_admin`, `role`, or `password_reset_token` by injecting unexpected keys into the HTTP request body.

The Vulnerable Pattern

require 'cuba'
Cuba.define do
on post do
on ‘settings’ do
# VULNERABLE: Direct injection of user-controlled hash into the database
user = User[session[:user_id]]
user.update(req.params[‘user’])
res.redirect ‘/dashboard’
end
end
end

The Secure Implementation

The fix involves implementing a strict whitelist policy. In the secure example, we use `slice` (available in ActiveSupport or via a simple helper) to extract only the keys we intend to allow. This ensures that even if an attacker sends `user[is_admin]=true`, the application ignores it. In a professional AppSec workflow, you should never allow the persistence layer to accept a raw parameter hash without a transformation or filtering layer between the request and the model.

require 'cuba'
Cuba.define do
on post do
on ‘settings’ do
user = User[session[:user_id]]
  # SECURE: Explicitly whitelist permitted attributes
  # Using Hash#slice or manual assignment
  safe_params = req.params['user'].slice('bio', 'display_name', 'timezone')
  
  user.update(safe_params)
  res.redirect '/dashboard'
end
end
end