Do not use "permit!" for params

Rails' Strong Parameters Show archive.org snapshot enable you to allow only specific values from request params to e.g. avoid mass assignment Show archive.org snapshot .

Usually, you say something like params.permit(:email, :password) and any extra parameters would be ignored, e.g. when calling to_h.
This is excellent and you should definitely use it.

What is permit! and why is it dangerous?

However, there is also params.permit! which permits everything from the params. There are situations where this is acceptable/desirable but permit! also mutates the params object.
This means that any code that accesses params afterwards will work with a fully permitted parameters object.

You never want that.

Why? Because it introduces potential vulnerabilities. [1]
Even if you are sure that nobody else accesses the params object after your code callled permit!, you can't a guarantee this is true forever.
It is just not worth the risk and you can always do better.

Alternatives

Instead, you should take a different approach. Here are several alternatives.

• If you can, don't permit! everything but permit only known good keys.
• Use request.path_parameters Show archive.org snapshot returns a Hash with all parameters relevant for building a path with e.g. url_for (excluding :host and similar). Note that it does not include query parameters.
• Use params.to_unsafe_h Show archive.org snapshot returns a HashWithIndifferentAccess with everything from params. If none of the above was enough for you, this should be. Be careful what you use it; we have a separate card on that.

[1] For example: If params are assigned to model attributes, your model won't complain, since params were declared safe. Congratulations, you've gained a mass assignment vulnerability. Note that params.permit(:something) would still only extract the :something entry, but the original params object is still tainted and you must avoid that.