Beware of params with non-string values (nil, array, hash)

Updated . Posted . Visible to the public. Repeats.

Recent rails security updates have shown that people make incorrect assumptions about the possible contents of the params hash.

Just don't make any! Treat it as what it is: potentially unsafe user input. For example:

/pages/edit?foo=   --> params == {:foo => ""}
/pages/edit?foo    --> params == {:foo => nil}
/pages/edit?foo[]  --> params == {:foo => [nil]} # at least in older rails 3 and in rails 2.x

Be especially wary about stuff like

User.find_by_password_reset_token(params[:password_reset_token])

If params[:password_reset_token] is nil, you'll retrieve a random user that doesn't have a token set.

Instead do

token = params[:password_reset_token].to_s
if token.present?
  User.find_by_password_reset_token(token)
end
Tobias Kraze
Last edit
Henning Koch
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to makandra dev (2012-06-22 09:13)