Recent rails security updates have shown that people make incorrect assumptions about the possible contents of the params hash.

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

• We build reliable cloud solutions with Infrastructure as code
• We are experts in security, Linux and databases
• We support your dev team to perform

Read more Show archive.org snapshot

Just don't make any! Treat it as what it is: potentially unsafe user input. For example:

/pages/edit?foo    --> params == {:foo => nil}
/pages/edit?foo[]  --> params == {:foo => [nil]} # at least in older rails 3 and in rails 2.x

Be especially wary about stuff like

User.find_by_password_reset_token(params[:password_reset_token])

If params[:password_reset_token] is nil, you'll retrieve a random user that doesn't have a token set.

Instead do

token = params[:password_reset_token].to_s
if token.present?
  User.find_by_password_reset_token(token)
end