Avoid unsafe Rails strong parameters and mass assignment

#Metadata

Rule ID: ruby.security.rails-unsafe-strong-parameters
Severity: high
Confidence: 0.88
Languages: ruby
Presets: security, strict
Stability: stable
Applies to: block
Tags: mass-assignment, rails, ruby, rules-catalog, security

#Why it matters

Permissive `permit!`, privileged `permit` fields, and direct `params` mass assignment enable attackers to escalate privileges or overwrite protected columns.

#Remediation

Replace `permit!` with an explicit attribute list, drop privileged symbols from `permit`, and route updates through vetted strong-parameter helpers instead of raw `params`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/ruby/ruby.security.rails-unsafe-strong-parameters.rule.yaml.

Back to directory Open rule in repository

Search docs

#Metadata

#Why it matters

#Remediation

#Repository path