Briefly searching Github for create_with it seems to be mostly used with seed data and or test factory models.<p><a href="https://github.com/search?l=Ruby&q=create_with&ref=cmdform&type=Code&utf8=%E2%9C%93" rel="nofollow">https://github.com/search?l=Ruby&q=create_with&ref=cmdform&t...</a><p>Although quite a few taking raw user input. I'd imagine not all of them are Rails 4+ though.
I reported this.<p>Curiously, they patched (but didn't disclose) the more severe half of this bug. Calls to `Model.where(params).create` also don't protect against mass-assignment. I believe this pattern is both <i>much</i> more prevalent and hard to detect.