Add change note and update severity

2026-04-19 14:04:09 +02:00 · 2024-03-22 14:04:15 +00:00
parent b74145349b
commit 01f712476b
2 changed files with 5 additions and 1 deletions
--- a/ruby/ql/src/change-notes/2024-03-22-mass-assignment.md
+++ b/ruby/ql/src/change-notes/2024-03-22-mass-assignment.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `ruby/insecure-mass-assignment`, for finding instances of mass assignment operations accepting arbitrary parameters from remote user input.
--- a/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
+++ b/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
@@ -3,7 +3,7 @@
 * @description Using mass assignment with user-controlled attributes allows unintended parameters to be set.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.5
+ * @security-severity 9.8
 * @precision high
 * @id ruby/insecure-mass-assignment
 * @tags security