Rails'
Strong Parameters
Show archive.org snapshot
enable you to allow only specific values from request params
to e.g. avoid
mass assignment
Show archive.org snapshot
.
Usually, you say something like params.permit(:email, :password)
and any extra parameters would be ignored, e.g. when calling to_h
.
This is excellent and you should definitely use it.
permit!
and why is it dangerous? However, there is also params.permit!
which permits everything from the params. There are situations where this is acceptable/desirable but permit!
also mutates the params object.
This means that any code that accesses params
afterwards will work with a fully permitted parameters object.
You never want that.
Why? Because it introduces potential vulnerabilities. [1]
Even if you are sure that nobody else accesses the params
object after your code callled permit!
, you can't a guarantee this is true forever.
It is just not worth the risk and you can always do better.
Instead, you should take a different approach. Here are several alternatives.
permit!
everything but permit
only known good keys.request.path_parameters
Show archive.org snapshot
returns a Hash with all parameters relevant for building a path with e.g. url_for
(excluding :host
and similar). Note that it does not include query parameters.params.to_unsafe_h
Show archive.org snapshot
returns a HashWithIndifferentAccess with everything from params
. If none of the above was enough for you, this should be. Be careful what you use it; we have a separate card on that.[1] For example: If params are assigned to model attributes, your model won't complain, since params were declared safe. Congratulations, you've gained a mass assignment vulnerability. Note that params.permit(:something)
would still only extract the :something
entry, but the original params
object is still tainted and you must avoid that.