3.0.1 docs and existing objects

Espen_Antonsen · October 15, 2010, 12:59pm

My app relied on the security vulnerability fixed in Rails 3.0.1. While I did specify attributes such as name and email, my main goal was to use an existing record by specifying the id. The 3.0.1 patch does not make it possible to specify id in nested attributes. It now raises a raise_nested_attributes_record_not_found whenever the id attribute is present. The intention of the patch was to deny updates to other attributes when the id is specified; i.e. {:id => 1, :name => 'pedo bear' }. That was off course a needed security improvement but was the intention also not to use nested_attributes for existing objects?

The API docs

"It also allows you to update the avatar through the member:

params = { :member => { :avatar_attributes => { :id => '2', :icon => 'sad' } } } member.update_attributes params[:member] member.avatar.icon # => 'sad'"

And

"If the hash contains an id key that matches an already associated record, the matching record will be modified:"

Seems like this was not just a security vulnerability but intended and documented behavior.

What should be done here?

1. Existing objects must be saved with child_id = # not child_attributes = { :id => 3} 2. allow id in nested attributes but do not accept other attributes.

Either way the docs should be updated. (And so must my API docs...)

Patch: http://rubyonrails-security.googlegroups.com/attach/e307ee2102f2e4be/3-0-nested_attributes.patch?view=1&part=4

Michael_Koziarski1 · October 17, 2010, 8:58pm

Seems like this was not just a security vulnerability but intended and documented behavior.

It was poorly considered intended behaviour because of the problems with :allow_destroy. That's not to say we can't come up with something nicer, but the original patch isn't it

What should be done here?

1. Existing objects must be saved with child_id = # not child_attributes = { :id => 3} 2. allow id in nested attributes but do not accept other attributes.

The problem with allowing id in the associations is how can we, a framework, scope it sensibly? In some cases assigning any record is fine. for example picking a category for a bug report, triggering category.find is fine. The other side of the coin is something like picking a bank account to assign a payment to. Unscoped finders there would be a huge problem.

Either way the docs should be updated. (And so must my API docs...)

For now the docs should probably just be updated, and if someone wants to figure out a way to re-enable a sub-set of this functionality for 3.1, we can experiment and analyse here before we push any releases.

rolfb · October 20, 2010, 4:30pm

@koz

Could you possibly supply some test cases for the exploiting scenario? It's seems wrong to raise record not found everytime an :id is supplied.

Looking into it.