The unscoped find issue is fairly easily solved by using devise's current_user i... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Polylactic_acid on Feb 5, 2020 | parent | context | favorite | on: Attacking Ruby on Rails applications (2016)

The unscoped find issue is fairly easily solved by using devise's current_user in combination with something like cancancan. Let them send anything as a param but have the controller blow up if the user doesn't have permission to access it.

I suspect an insane number of websites are validated only by the frontend and can be exploited like this.

donutpepperoni on Feb 5, 2020 | [–]

You'd suspect right :) I've had a huge number of bounties from this as a result of finding the pattern first on Reverb.

greenie_beans on Feb 5, 2020 | [–]

Can't this be solved with scoping via the pundit gem, as well?

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact