Moved to GitHub from Google Code on May 1, 2008 Was hosted at code.google.com/p/audit-mass-assignment/

audit_mass_assignment plugin for Ruby on Rails

The audit_mass_assignment Ruby on Rails plugin contains a rake task that
checks the models in your project for the attr_accessible whitelist approach
for protecting against "mass assignment" exploits.  It does not check for
use of attr_protected.

Installation

gem install ryanlowe-audit_mass_assignment --source http://gems.github.com/

Usage

$ rake audit:mass_assignment

Notes

If you want to protect ALL attributes in your model use:

  attr_accessible nil

Why are "mass assignment" exploits a danger to Rails applications? See these links:

1. rorsecurity.info: Do not create records directly from form parameters
   http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/

2. Railscasts: Hackers Love Mass Assignment
   http://railscasts.com/episodes/26

3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters
   http://manuals.rubyonrails.com/read/chapter/47