This warning comes up if a model does not limit what attributes can be set through mass assignment. In particular, this check looks for attr_accessible inside model definitions. If it is not found, this warning will be issued. Railroader also warns on use of attr_protected - especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected will be reported, but at a lower confidence level.

“Authentication” is the act of verifying that a user or client is who they say they are. Right now, the only Railroader warning in the authentication category is regarding hardcoded passwords. Railroader will warn about constants with literal string values that appear to be passwords. Hardcoded passwords are security issues since they imply a single password and that password is stored in the source code. Typically source code is available to a wide number of people inside an organization, and there have been many instances of source code leaking to the public.

When skipping before_filters with security implications, a “whitelist” approach using only should be used instead of except. This ensures actions are protected by default, and unprotected only by exception. Back to Warning Types