Beware of params with non-string values (nil, array, hash)

Recent rails security updates have shown that people make incorrect assumptions about the possible contents of the params hash.

Just don't make any! Treat it as what it is: potentially unsafe user input. For example:

/pages/edit?foo=   --> params == {:foo => ""}
/pages/edit?foo    --> params == {:foo => nil}
/pages/edit?foo[]  --> params == {:foo => [nil]} # at least in older rails 3 and in rails 2.x

Be especially wary about stuff like

User.find_by_password_reset_token(params[:password_reset_token])

If params[:password_reset_token] is nil, you'll retrieve a random user that doesn't have a token set.

Instead do

token = params[:password_reset_token].to_s
if token.present?
  User.find_by_password_reset_token(token)
end
Tobias Kraze
This website uses short-lived cookies to improve usability.
or learn more