Read more

Do not use "permit!" for params

Arne Hartherz
September 13, 2023Software engineer at makandra GmbH

Rails' Strong Parameters Show snapshot enable you to allow only specific values from request params to e.g. avoid mass assignment Show snapshot .

Illustration UI/UX Design

UI/UX Design by makandra brand

We make sure that your target audience has the best possible experience with your digital product. You get:

  • Design tailored to your audience
  • Proven processes customized to your needs
  • An expert team of experienced designers
Read more Show snapshot

Usually, you say something like params.permit(:email, :password) and any extra parameters would be ignored, e.g. when calling to_h.
This is excellent and you should definitely use it.

What is permit! and why is it dangerous?

However, there is also params.permit! which permits everything from the params. There are situations where this is acceptable/desirable but permit! also mutates the params object.
This means that any code that accesses params afterwards will work with a fully permitted parameters object.

You never want that.

Why? Because it introduces potential vulnerabilities. [1]
Even if you are sure that nobody else accesses the params object after your code callled permit!, you can't a guarantee this is true forever.
It is just not worth the risk and you can always do better.


Instead, you should take a different approach. Here are several alternatives.

[1] For example: If params are assigned to model attributes, your model won't complain, since params were declared safe. Congratulations, you've gained a mass assignment vulnerability. Note that params.permit(:something) would still only extract the :something entry, but the original params object is still tainted and you must avoid that.

Posted by Arne Hartherz to makandra dev (2023-09-13 13:49)