Regression with empty nested attributes in parameters

[OmarSkalli]

Rails 3.2.11 is causing a regression when nested attributes have an empty value. For example, the following code works in 3.2.10 but throws an exception in 3.2.11:

            $.ajax('/home/index', {
                type: 'POST',
                contentType: "application/json; charset=utf-8",
                dataType: "json",
                data: JSON.stringify({ post: { comments_attributes: [] }}),
                error: function(response, status, jqxhr) { $("#response").html(response.responseText); },
                success: function(response, status, jqxhr) { $("#response").html("Request successful"); }
            });
        });

You can reproduce the bug with the following repro application:

• Clone: https://github.com/Chetane/rails-3.2.11-nested-attributes-bug
• Rake db:migrate, rails server
• Go to home/index controller and follow steps

This is breaking my application, and other will most likely encounter this exception. This commit is causing the regression: d5cd97b

hash[k] = nil if v.empty

[mattgreen]

+1

We had to work around this in production just after we deployed 3.2.11. An empty array is a perfectly reasonable value.

[ienders]

+1

I don't usually comment on issues, but I'm sorry, this is pretty upsetting. An empty array and nil are not the same thing at all.

[akavi]

+1

Why is the fix in JSON parsing instead of in query generation?

Note that this fix also strips nils from within arrays (eg. [1, 2, 3, nil] => [1, 2, 3])

[PikachuEXE]

Should be related to #8831

[OmarSkalli]

Definitely related. It's worth pointing however that in this case, an exception is thrown. In #8831, it silently strips nil. Both should definitely be fixed.

[jeremy]

Please do investigate! Need a fix that doesn't result in args injection. See the tests @ d5cd97b#L7R27

[homakov]

tough question: leave nils and expect injection in find methods or remove them and get JSON broken. I don't know..

[mikebaldry]

+1

[nicolasblanco]

+1.
My app is broken because of this patch. And this application does not even use ActiveRecord.

[homakov]

ok, +1 too

[simonx1]

+1

[jeremy]

We have +7 but no code proposed. Please do investigate!

[ceterumnet]

+1

[jlsync]

+1 on this issue. Perhaps the solution is to delete the key from the params hash rather than setting the value to nil (which is my current work-around in a before_filter ).

[TheBerg]

+1

[rainulf]

+1

[TheBerg]

After investigating it some more, I totally understand why this was implemented the way it was implemented. Rails needs to be secure by default.

Maybe we should add a params_from_post_data method that would still let people get around this. Thoughts?

I am investigating if this would work in my own applications. If it works and people feel like it is a good work around I'll submit a patch.

[TheBerg]

Params from post data would look kinda like this:

  def json_params
    @json_params ||= ActionController::Parameters.new(ActiveSupport::JSON.decode(request.body))
  end

But would need to handle XML, JSON, etc. Thoughts?

[mattgreen]

@TheJeff : I'm not sure why empty JSON arrays are a security problem in ActionPack.

They may be a problem for AR, but but that's AR's problem, not ActionPack's.

[TheBerg]

Oh, ActionController::Parameters.new is part of StrongParameters & Rails4, not in Rails 3.

[TheBerg]

@mattgreen I agree, but don't see a way to fix this issue without severely crippling ActiveRecord (basically disallowing searching for nil values).

Personally, I feel like this is a per-application security vulnerability, but at the same time I respect the Rails Cores team working to make Rails secure by default.

Another way to fix this would be to extend StrongParameters so that a require or allow would make sure that that value is not an Array or Hash, but that would require people to move to StrongParameters.

[mattgreen]

Requiring people to use StrongParameters in Rails 4 would be an acceptable resolution to this bug.

But mutilating data that comes in to cover the persistence layer's weaknesses is ridiculous. I'm assuming this bug was an oversight.

[wpeterson]

+1 This will likely break things for us as well.

[TheBerg]

@mattgreen I believe it was an oversight, but also I don't really know of any other way to solve this issue without doing it. I am racking my brain for a solution and I just can't think of another one.

[Unpakt]

We've created a before filter that will fix this issue until there is a new actionpack release see the gist here:

https://gist.github.com/4495772

[abuggia]

+1

[edawerd]

+1

[xdaveyx]

+1

[imanel]

I would opt for removal of this - it's no longer necessary after permitted params were introduced.

[joshwlewis]

Looks like #11044 should solve this.

[jasonmp85]

LOL @ milestone 4.0.2.

"Hey guys, remember that time we broke compliance with JSON in a patch release? Well we're going to fix it in a patch release, too. Hope you didn't write any hacks to get around the asinine behavior."

[rafaelfranca]

Like I said, the milestone doesn't mean it will be fixed on that milestone,
it is just to make sure we will revisit this issue when release that
milestone.
On Nov 13, 2013 8:52 PM, "Jason Petersen" notifications@github.com wrote:

LOL @ milestone 4.0.2.

"Hey guys, remember that time we broke compliance with JSON in a patch
release? Well we're going to fix it in a patch release, too. Hope you
didn't write any hacks to get around the asinine behavior."

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/8832#issuecomment-28442476
.

[jasonmp85]

Ah. Serves me right to open my mouth before reading all the comments (though in all honestly I'm squelching this thread now because it's just been 👍s for months now).

[OmarSkalli]

Can a contributor add the "Regression" label to this issue please?

[rafaelfranca]

Agree with you we have to take a decision here. This is why I added the
milestone. I'll make sure we come with some solution before the 4.0.2
release. But it can be included only on 4.1.
On Nov 13, 2013 10:47 PM, "Jason Petersen" notifications@github.com wrote:

Ah. Serves me right to open my mouth before reading all the comments
(though in all honestly I'm squelching this thread now because it's just
been [image: 👍]s for months now).

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/8832#issuecomment-28450070
.

[imanel]

@rafaelfranca what is the reason for deep munge after implementation of permitted params. From what I remember the reason was passing array instead of string, which is now prevented by default...

[melcher]

+1

[mikeric]

+1

[luisobo]

👍

[vincentwoo]

+1

[11449]

+1

[chancancode]

Hey guys, thank you for submitting this and expressing your concerns about this issue! Speaking for myself, I understand where you are coming from, and I agree we could do better. Unfortunately, this PR does not meet our requirements for an acceptable solution to the problem.

Please stop responding with +1s and "me too"s. Those comments are only going to create noise for everyone and slow down the progress. We heard you loud and clear, and yes, we definitely care a lot about your opinion on this.

Instead, please head over to #13420 for the background and contribute your ideas. Thanks again! ❤️ 💚 💙 💛 💜