ChiliProject - Countermeasures against potential DoS-Weakness concerning Mass-Assignment

ChiliProject is not maintained anymore. Please be advised that there will be no more updates.

We do not recommend that you setup new ChiliProject instances and we urge all existing users to migrate their data to a maintained system, e.g. Redmine. We will provide a migration script later. In the meantime, you can use the instructions by Christian Daehn.

Countermeasures against potential DoS-Weakness concerning Mass-Assignment

Added by Gregor Schmidt at 2011-07-20 07:16 am

Michael Koziarski just released a security advise concerning a potential DoS weakness when using ActiveRecord mass assignments w/o attr_protected. As far as I know, there are at least some models in ChiliProject, that do not use attr_protected but some custom functionality called safe_attributes. I know there has been some discussion to rework safe_attributes, but I think most of us were not aware of the issue outlined by Koz in the advisory.

I think we should review our models regarding this weakness as well as the safe_attribute code.

What do you think?

Replies (1)

RE: Countermeasures against potential DoS-Weakness concerning Mass-Assignment - Added by Eric Davis at 2011-07-22 03:48 pm

Thanks for bringing that advisory up, I had it saved to talk about today.

At the surface I think it is yet another reason we should Remove safe_attributes in favor of attr_accessible (or the like). I'll post an update in that thread, we should add this discussion over there.

Eric Davis

(1-1/1)