Direct Object Reference in `accepts_nested_attributes_for` with Referenced `has_many`

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Unknown
    • 9.1.0, 9.0.11
    • Affects Version/s: 8.1.12, 9.0.10, 8.0.12
    • Component/s: None
    • None
    • None
    • Fully Compatible
    • Ruby Drivers
    • Needed
    • Hide

      1. What would you like to communicate to the user about this feature?

      A new configuration option has been added: Mongoid::Config.allow_reparenting_via_nested_attributes. In 9.0.x, this defaults to `true` (the legacy behavior). This default behavior exposes a minor security concern, however, as it is possible for someone to use nested attributes to reparent child associations. In 9.1.0, this option will default to false, and in Mongoid 10, this option will be removed entirely and the legacy behavior will no longer be supported.

      The security concern exists because the legacy behavior allows a different parent id to be specified via nested attributes. For example, suppose a Person has_many Posts.

      person.posts_attributes = { '1' => { person_id: 'different-person-id' } }

      Because nested attributes are frequently used by Rails applications to easily submit changes to entire subtrees of data, this allows a bad actor to reparent (e.g.) a post to a different person, affecting data integrity and possibly granting them write access to a record they otherwise only had read access to.

      2. Would you like the user to see examples of the syntax and/or executable code and its output?

      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? A new configuration option has been added: Mongoid::Config.allow_reparenting_via_nested_attributes . In 9.0.x, this defaults to `true` (the legacy behavior). This default behavior exposes a minor security concern, however, as it is possible for someone to use nested attributes to reparent child associations. In 9.1.0, this option will default to false, and in Mongoid 10, this option will be removed entirely and the legacy behavior will no longer be supported. The security concern exists because the legacy behavior allows a different parent id to be specified via nested attributes. For example, suppose a Person has_many Posts. person.posts_attributes = { '1' => { person_id: 'different-person-id' } } Because nested attributes are frequently used by Rails applications to easily submit changes to entire subtrees of data, this allows a bad actor to reparent (e.g.) a post to a different person, affecting data integrity and possibly granting them write access to a record they otherwise only had read access to. 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Passing the ObjectID of an unrelated (existing) object via the nested attributes of a has_many relation shouldn't be allowed. Rails restricts it to objects that are already children of the parent relation.

            Assignee:
            Jamis Buck
            Reporter:
            Jamis Buck
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: