Skip to content

ConradIrwin/mongoid-rails

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
lib
 
 
 
 
 
 
 
 

mongoid-rails is the safest way to use MongoDB with Rails 3 or 4.

Installation

Add mongoid-rails to your Gemfile.

gem 'mongoid-rails'

Then run bundle install.

What does it do?

Mongoid rails provides protection against hash-injection attacks in mongoid.

Forbidden attributes protection

This causes things like User.create(setings: params[:settings]) to raise an exception. If you want to create a user from parameters, you need to explicitly permit the fields that you want to allow.

User.create(settings: params[:settings].permit(:favorite_color))

This prevents an attacker from sneakily setting params[:settings][:admin] = true or similar.

Forbidden query protection

This protects you against query injection attacks. It makes the following code safe:

User.where(api_token: params[:api_token])

Without mongoid-rails an attacker can send ?api_token[$gt]= to guess api tokens from your app. With mongoid-rails that will cause an exception to be raised.

Meta

mongoid-rails is released under the MIT license. See LICENCE.MIT for details.

About

Strong parameters integration with mongoid

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages