New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't convert empty arrays to nils when deep munging params #16924
Conversation
👍 /cc @NZKoz @tenderlove @jeremy |
It would need careful review, just in case and I'd do it for 5.0. There's not going to be a 4.3 version. |
Related with #13420 |
Glad to see this get the thumbs up, and agreed on the review. Feels very much worth making sure there are automated tests around ActiveRecord in the relevant places too (and have them run against all officially supported database adapters). |
This change looks fine to me, however I think we should also revisit the munging of It was initially a suprising API which when combined with .blank? ended up doing crazy things, but perhaps we can simply document that behaviour now and move on? |
Just spotted master is open for 5.0.0 work, so I've rebased against that. Is this good for merge now? Let me know if there's anything you'd like changed. |
@spastorino Any update? Keen to get this merged. Just rebased again for changelog conflicts. Let me know if there's anything else you'd like changing. |
👍 from me! |
Don't convert empty arrays to nils when deep munging params
❤️ |
Is this patch available in any of 4.x? We're running 4.0.4 and wouldn't mind updating a minor revision to get this. |
This went in for 5.0, as it was a breaking change and 4.2 was too close to release. |
The behavior of `deep_munge` was changed in rails/rails#16924 for security reason, so we should expect a different outcome when running against Rails 5.0+.
The behavior of `deep_munge` was changed in rails/rails#16924 for security reason, so we should expect a different outcome when running against Rails 5.0+.
The behavior of `deep_munge` was changed in rails/rails#16924 for security reason, so we should expect a different outcome when running against Rails 5.0+.
This commit tweaks the behaviour of
deep_munge
in light of changes made to improve security in ActiveRecord.Previously, when an empty array was passed as an argument to a
where
orfind_by
query, it would generate SQL with anIS NULL
clause. This lead to vulnerabilities due to records being returned in cases where app code didn't expect it. These are documented in:Now (example using Rails 4.1.5 and Postgres 9.2.8), ActiveRecord generates a query like:
which never returns any rows.
This new behaviour makes it possible to change the behaviour of
deep_munge
in what seems like a preferable way. Whilenil
s are still stripped from arrays in params, empty arrays won't be converted into nil. Apps would no longer need to work around this behaviour by re-parsing JSON if they want to distinguish betweennil
and[]
.Conveniently, this would fix rails/strong_parameters#192 as well.
I realise it wouldn't be appropriate to target this change at 4.2 this late in the day, but it seems like it would be a nice improvement for 4.3.