Beware of "nil" values in params

Recent rails security updates have shown that people make incorrect assumptions about the possible contents of the params hash.

Just don't make any! Treat it as what it is: potentially unsafe user input. For example:

/pages/edit?foo    --> params == {:foo => nil}
/pages/edit?foo[]  --> params == {:foo => [nil]} # at least in older rails 3 and in rails 2.x

Be especially wary about stuff like

User.find_by_password_reset_token(params[:password_reset_token])

If params[:password_reset_token] is nil, you'll retrieve a random user that doesn't have a token set.

Instead do

token = params[:password_reset_token].to_s
if token.present?
  User.find_by_password_reset_token(token)
end
Tobias Kraze Almost 12 years ago
This website uses short-lived cookies to improve usability.
or learn more