Fix Mass Assignment in Rails

Mass Assignment occurs when an application takes user-provided data and binds it to internal model attributes without filtering. In Rails, this allows an attacker to manipulate sensitive fields—like 'is_admin', 'role', or 'account_balance'—simply by appending them to the HTTP request. If you're passing the raw params hash into a persistence method, you're handing over the keys to your database.

The Vulnerable Pattern

class UsersController < ApplicationController
  def update
    @user = User.find(params[:id])
    # VULNERABLE: Directly passing the params hash allows an attacker
    # to send { "user": { "admin": true } } to escalate privileges.
    if @user.update(params[:user])
      redirect_to @user
    end
  end
end

The Secure Implementation

The solution is 'Strong Parameters'. By moving the filtering logic into the controller and using the permit() method, you create an allow-list for model attributes. Any key-value pairs not explicitly listed in permit() are stripped out by ActionController::Parameters before the data ever touches the database. This ensures that even if a malicious actor sends 'admin=true', Rails will ignore it because it wasn't sanctioned in the user_params method.

class UsersController < ApplicationController
  def update
    @user = User.find(params[:id])
    # SECURE: Using Strong Parameters to whitelist specific fields.
    if @user.update(user_params)
      redirect_to @user
    end
  end
private
def user_params
# Explicitly permit only the attributes the user is allowed to change.
params.require(:user).permit(:username, :email, :bio)
end
end