ChiliProject is not maintained anymore. Please be advised that there will be no more updates.

We do not recommend that you setup new ChiliProject instances and we urge all existing users to migrate their data to a maintained system, e.g. Redmine. We will provide a migration script later. In the meantime, you can use the instructions by Christian Daehn.

Is Chiliproject vulnerable due to mass-assignment?

Added by Enno Gröper at 2012-03-05 06:57 pm

Hello,
I think/hope you are aware of the issue.
But I wanted to ask as I wouldn't have thought, that a big player like github.com is vulnerable.


Replies (5)

RE: Is Chiliproject vulnerable due to mass-assignment? - Added by John Yani at 2000-03-07 12:00 pm

So let's find out now if created_on field is vulnerable. Apparently, it is :(

RE: Is Chiliproject vulnerable due to mass-assignment? - Added by Felix Schäfer at 2012-03-06 01:43 am

Technically this is an "old issue", we are aware of it and we take care to filter user input when writing new code, I can't vouch for the "older" parts of the codebase though as it would require a thorough code review. Regarding this being an "old issue": Redmine (and thus ChiliProject) has a module source:/lib/redmine/safe_attributes.rb that can be included in models to get whitelist (and even conditional) mass assignment, i.e. it's something we're aware of and do our best to avoid.

Regarding "big players" like github, posterous and so on being vulnerable: is it really a surprise to you? :-) Rails makes mass assignment not only easy but also "best practice" of sorts, at least in the guides (IIRC the guides are like "mass assignment, it's easy!" in the beginner's guide and "oh, but be careful with it!" in the security guide…). Unless you "force" people to declare what should be mass assignable instead of having everything mass assignable by default, I fear even the best programmers will end up walking into this problem, albeit maybe later than others.

RE: Is Chiliproject vulnerable due to mass-assignment? - Added by Felix Schäfer at 2012-03-06 01:44 am

(oh, and AFAIK Holger is spending some brain-time on whether and if yes what we should do)

RE: Is Chiliproject vulnerable due to mass-assignment? - Added by Enno Gröper at 2012-03-06 09:40 pm

Perhaps find_mass_asssignment could help?

I ran it on a quite old Redmine Install (1.1.0) I have on a private machine (quickly accessible). Don't want to test it on my production server running chiliproject.
It found 46 potential issues.
I will try it on a test install of chiliproject, if I have some spare time.

Update: 47 potential issues on chiliproject 3.0.0. But to me at least some of them look like obvious false alarms.

(1-5/5)