Add support for Strong Params #27

liveh2o · 2015-02-11T18:36:27Z

Active Record now enforces attribute whitelisting through Strong Params, but ARem doesn't support it. It should.

liveh2o · 2015-02-26T22:09:38Z

Not actually an issue. Active Record has nothing to do with Strong Params.

brianstien · 2015-07-14T20:59:17Z

This is still a problem, here is an example

class User < ::ActiveRecord::Base
end

UsersController < ::ApplicationController::Base
  def update
    @user = User.find(params[:id])
    @user.update_attributes(params[:user]) # raises ActiveModel::ForbiddenAttributes because params have not been sanitized with strong params
  end
end

class User < ::ActiveRemote::Base
end

UsersController < ::ApplicationController::Base
  def update
    @user = User.find(params[:id])
    @user.update_attributes(params[:user]) # does not raise an error, allows mass assignment vulnerability
  end
end

brianstien · 2015-07-14T23:54:51Z

I think we need to include ActiveModel::ForbiddenAttributesProtection into ActiveRemote::Base

https://github.com/cgriego/active_attr#massassignment

liveh2o · 2015-07-14T23:59:05Z

Tricky. I'll get something up soon.

liveh2o · 2017-02-21T23:42:54Z

Closing this because the work on v3.0 (#36) covers it.

liveh2o closed this as completed Feb 26, 2015

liveh2o reopened this Jul 14, 2015

liveh2o closed this as completed Feb 21, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for Strong Params #27

Add support for Strong Params #27

liveh2o commented Feb 11, 2015

liveh2o commented Feb 26, 2015

brianstien commented Jul 14, 2015

brianstien commented Jul 14, 2015

liveh2o commented Jul 14, 2015

liveh2o commented Feb 21, 2017

Add support for Strong Params #27

Add support for Strong Params #27

Comments

liveh2o commented Feb 11, 2015

liveh2o commented Feb 26, 2015

brianstien commented Jul 14, 2015

brianstien commented Jul 14, 2015

liveh2o commented Jul 14, 2015

liveh2o commented Feb 21, 2017