Do not use "permit!" for params

Posted . Visible to the public. Repeats.

Rails' Strong Parameters Show archive.org snapshot enable you to allow only specific values from request params to e.g. avoid mass assignment Show archive.org snapshot .

Usually, you say something like params.permit(:email, :password) and any extra parameters would be ignored, e.g. when calling to_h.
This is excellent and you should definitely use it.

What is permit! and why is it dangerous?

However, there is also params.permit! which permits everything from the params. There are situations where this is acceptable/desirable but permit! also mutates the params object.
This means that any code that accesses params afterwards will work with a fully permitted parameters object.

You never want that.

Why? Because it introduces potential vulnerabilities. [1]
Even if you are sure that nobody else accesses the params object after your code callled permit!, you can't a guarantee this is true forever.
It is just not worth the risk and you can always do better.

Alternatives

Instead, you should take a different approach. Here are several alternatives.


[1] For example: If params are assigned to model attributes, your model won't complain, since params were declared safe. Congratulations, you've gained a mass assignment vulnerability. Note that params.permit(:something) would still only extract the :something entry, but the original params object is still tainted and you must avoid that.

Arne Hartherz
Last edit
Arne Hartherz
License
Source code in this card is licensed under the MIT License.
Posted by Arne Hartherz to makandra dev (2023-09-13 11:49)