Make kaminari more robust against invalid input values #334

Closed
wants to merge 1 commit into from

3 participants

@borisruf

As proposed in the documentation, kaminari methods are often called in the controller with "unsanitized" parameters from the params hash (e.g. User.order(:name).page params[:page]). However, this makes the app vulnerable to invalid input: a request with an array instead of an integer (e.g. ...?page[]=2) causes the app to raise an exception.

I suggest to handle invalid input values within kaminari and attach a fix for the per parameter.

Thanks for your consideration,
Boris

@eitoball

Instead of just checking for Array, how about like this?

def per(num)
  n = num.try(:to_i) rescue nil
  if n.nil?
    limit(nil).offset(0)
  else n <= 0
    # snip
  end
end
@zzak
Collaborator

Unfortunately I disagree with this. There are many ways to raise an exception, I don't consider this a vulnerability.

@zzak zzak closed this Aug 7, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment