LRBlog » Web Security http://blog.lrdesign.com Logical Reality Design: Web Design and Software Development Thu, 08 Jul 2010 01:40:49 +0000 en hourly 1 http://wordpress.org/?v=3.0 Bypassing mass assignment for update_attributes http://blog.lrdesign.com/2009/03/bypassing-mass-assignment-for-update_attributes/ http://blog.lrdesign.com/2009/03/bypassing-mass-assignment-for-update_attributes/#comments Sat, 14 Mar 2009 21:45:05 +0000 Evan http://blog.lrdesign.com/?p=51 I've been following this excellent post by M. Hartl and this post by E. Chapweske banishing mass assignment from one of my Rails applications due to launch soon.

I'm following Chapweske's approach of blocking mass assignment by default in all models, by putting this line in an initializer:

ActiveRecord::Base.send(:attr_accessible, nil)

This had the expected side effect of breaking several zillion tests, because tests frequently use things like Model.build() and Model.create!() to generate on-demand fixtures during testing. Hartl has a great bit of code that creates unsafe_build() and unsafe_create() methods in ActiveRecord. You can use these methods instead of build() and create() to function as expected in your tests.

This works great, except that I also use the mass-assignment method update_attributes! in my tests and specs frequently, particularly when I want to spec the effect a change on one model has on an associated models' methods. So, I expanded on Hartl's helper code a bit, to give myself the necessary methods. In case it helps anyone else:

/lib/initializers/unsafe_build_and_create.rb

class ActiveRecord::Base

# Build and create records unsafely, bypassing attr_accessible.
# These methods are especially useful in tests and in the console.

def self.unsafe_build(attrs)
record = new
record.unsafe_attributes = attrs
record
end

def self.unsafe_create(attrs)
record = unsafe_build(attrs)
record.save
record
end

def self.unsafe_create!(attrs)
unsafe_build(attrs).save!
end

def unsafe_update_attributes!(attrs)
self.unsafe_attributes = attrs
self.save!
end

def unsafe_update_attributes(attrs)
self.unsafe_attributes = attrs
self.save
end

def unsafe_attributes=(attrs)
attrs.each do |k, v|
send("#{k}=", v)
end
end
end

]]> http://blog.lrdesign.com/2009/03/bypassing-mass-assignment-for-update_attributes/feed/ 2 Likely web scam notice: webatrades.com http://blog.lrdesign.com/2008/05/likely-web-scam-notice-webatradescom/ http://blog.lrdesign.com/2008/05/likely-web-scam-notice-webatradescom/#comments Tue, 27 May 2008 03:54:34 +0000 Evan http://blog.lrdesign.com/?p=22 Looking for used cars on Craig's List, my girlfriend and I found what appears to be a classic web escrow auto scam: Web Auto Trades. An ad we responded to (a used Honda Accord at a surprisingly low price for the mileage) claimed to be using their service, which included a "five day guarantee" if you didn't like the car, and said we wouldn't have to meet the seller in person. These are all signs of a typical scam: buyer beware!

Other scam signs: though their snazzy flash-based website presents them as worldwide experts in escrow services, a google search for their domain name results in zero hits, and the domain has only been registered for five days and lists no telephone contacts:


Registrant:
Domain Privacy Group, Inc.
c/o webatrades.com,
5160 Yonge St. Suite 1800
Toronto, ON M2N 6L9
CA

Domain name: webatrades.com

Administrative Contact:
Domain Privacy Group, Inc. privacy-356772@domainprivacygroup.com
c/o webatrades.com,
5160 Yonge St. Suite 1800
Toronto, ON M2N 6L9
CA
Fax:

Technical Contact:
Domain Privacy Group, Inc. privacy-356772@domainprivacygroup.com
c/o webatrades.com,
5160 Yonge St. Suite 1800
Toronto, ON M2N 6L9
CA
Fax:

Registrar of Record: Netfirms Inc.
Record expires on 2009-05-21.
Record created on 2008-05-21.
Database last updated on 2008-05-28 12:54:04.

If you are finding this post because you googled their address after considering buying a car from someone using their service, I strongly consider you to avoid doing business with them, or at least to investigate the company much more thoroughly. Check with your state's attorney general's office to see if they've heard of them or have any complaints, and also consider checking with the BBB. Be very careful not to have your money taken by escrow scams, which this company gives every appearance of being.

Here's a screenshot of their front page, in case they pop up somewhere later under a different name.

This looks like an auto escrow scam.

Update: How to Avoid Escrow Fraud

Here are some useful links on escrow fraud, what it is, and how to avoid it:

]]> http://blog.lrdesign.com/2008/05/likely-web-scam-notice-webatradescom/feed/ 10