params.permit! allows every parameter
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
permit! (with a bang, not parentheses) marks the entire params hash as permitted with no allowlist at all. Wherever the result is used for mass assignment, strong parameters provides no protection, regardless of which attributes a form or API client sends.
Why it matters
permit! is the strong-parameters equivalent of turning mass-assignment protection off entirely: it marks every key in the params hash, current and future, as permitted with no allowlist. Anywhere the resulting hash reaches create/update, a client can set any attribute the model has, exactly the vulnerability strong parameters exists to prevent.
How to fix it
Replace permit! with an explicit permit(:field_one, :field_two, ...) listing only the attributes this action is meant to let the client set. If different call sites need different fields, give each its own allowlist method rather than sharing one permissive one.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo