Do not use "permit!" for params
Rails'
Strong Parameters
Show archive.org snapshot
enable you to allow only specific values from request params to e.g. avoid
mass assignment
Show archive.org snapshot
.
Usually, you say something like params.permit(:email, :password) and any extra parameters would be ignored, e.g. when calling to_h.
This is excellent and you should definitely use it.
What is permit! and why is it dangerous?
However, there is also params.permit! which permits everything from the params. There are situations where this is acceptable/desirable but permit! also mutates the params object.
This means that any code that accesses params afterwards will work with a fully permitted parameters object.
You never want that.
Why? Because it introduces potential vulnerabilities. [1]
Even if you are sure that nobody else accesses the params object after your code callled permit!, you can't a guarantee this is true forever.
It is just not worth the risk and you can always do better.
Alternatives
Instead, you should take a different approach. Here are several alternatives.
- If you can, don't
permit!everything butpermitonly known good keys. - Use
request.path_parametersShow archive.org snapshot returns a Hash with all parameters relevant for building a path with e.g.url_for(excluding:hostand similar). Note that it does not include query parameters. - Use
params.to_unsafe_hShow archive.org snapshot returns a HashWithIndifferentAccess with everything fromparams. If none of the above was enough for you, this should be. Be careful what you use it; we have a separate card on that.
[1] For example: If params are assigned to model attributes, your model won't complain, since params were declared safe. Congratulations, you've gained a mass assignment vulnerability. Note that params.permit(:something) would still only extract the :something entry, but the original params object is still tainted and you must avoid that.