---
title: "RR001 – Use Strong Parameters (params.require().permit())"
impact: high
impactDescription: "Mass assignment via permit() prevents unfiltered user input from modifying forbidden attributes such as roles, admin flags, or foreign keys."
tags: [ruby, rails, security, input-validation]
---

# RR001 – Use Strong Parameters

## Rule

Always whitelist params with `require().permit()`. Never permit all params or bypass strong parameters.

## Why

`params.to_unsafe_h` and raw `params` bypass Rails' Mass Assignment protection. An attacker can inject `admin: true`, `role: 'admin'`, or arbitrary foreign keys.

## Wrong

```ruby
# Bypasses strong parameters entirely
def create
  @user = User.create(params[:user].to_unsafe_h)
end

# Permits everything
def user_params
  params.require(:user).permit!
end

# Missing permit — may raise ForbiddenAttributesError or pass raw hash
def create
  @user = User.create(user_params: params[:user])
end
```

## Correct

```ruby
def create
  @user = User.create!(user_params)
end

private

def user_params
  params.require(:user).permit(:name, :email, :password, :password_confirmation)
end
```

## Notes

- `permit!` is only acceptable in internal admin scripts where input is completely trusted and audited.
- Nested attributes need explicit permit: `permit(:name, addresses_attributes: [:street, :city])`.
- Never store the result of `to_unsafe_h` into a model.