I just threw together a quick gem that will ensure active_record model attribute... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		sjtgraham on March 5, 2012 \| parent \| context \| favorite \| on: How github was hacked I just threw together a quick gem that will ensure active_record model attributes are protected from mass-assignment unless explicitly declared as mass-assignable. Granted, this as default will break an app that does not have the correct attributes declared as mass-assignable, but the alternative is a vulnerable app. https://github.com/stevegraham/default_whitelist

wtn on March 5, 2012 [–]

This feature already exists in Rails.

https://github.com/lest/rails/commit/f2fa4837a8a888ee86997be...

sjtgraham on March 5, 2012 | [–]

Only for relatively new versions of Rails. The oldest version of Rails including this patch was released January 20, 2012.

sophiebits on March 5, 2012 | | [–]

Note that that commit is only a comment -- the addition of "whitelist_attributes" presumably is older.

sirn on March 5, 2012 | | [–]

It was added in Rails 3.1.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact