Always compact array parameters rather than setting them to nil #12251

Closed
wants to merge 17 commits into
from

Projects

None yet

8 participants

@christhekeele

Rebase reapplication of #9569, thanks to @collectiveidea and @laserlemon

The CVE-2013-0155 security vulnerability outlines how array parameters
containing nil values can be dangerous when accepted directly into
Active Record finder methods. The previous fix has been to detect array
parameters with nil values and to clobber the entire array into nil.

Instead, compacting the array solves the security issue and causes less
surprise in the case where array parameters are expected, as is often
the case when accepting nested attributes for collections.

@laserlemon @christhekeele laserlemon Always compact array parameters rather than setting them to nil
Rebase reapplication of #9569, thanks to @collectiveidea and @laserlemon

The CVE-2013-0155 security vulnerability outlines how array parameters
containing nil values can be dangerous when accepted directly into
Active Record finder methods. The previous fix has been to detect array
parameters with nil values and to clobber the entire array into nil.

Instead, compacting the array solves the security issue and causes less
surprise in the case where array parameters are expected, as is often
the case when accepting nested attributes for collections.
7343c01

Sheer beauty

Do it for him.

Contributor

☝️

Joseph Zidell and others added some commits Oct 3, 2013
Joseph Zidell Fixed typo in documentation 58d64dd
Joseph Zidell Fixed return strings in documentation bf49506
@senny senny Merge pull request #12440 from arunagw/minor-fix-running-unit-test-file
Directory name in RUNNING_UNIT_TESTS.rdoc [ci skip]
86780e2
@rafaelfranca rafaelfranca Merge pull request #12437 from websiteswithclass/master
Fixed typo in documentation
874ca68
@arthurnn @rafaelfranca arthurnn add regression test for set_inverse_instance on add_to_target 37cd223
@tenderlove tenderlove wrap logging around the actual query call itself.
This is to be consistent with the way the mysql2 adapter times queries
ffbefc7
@tenderlove tenderlove stop adding singleton methods to the PG connection cc04a4a
@tenderlove tenderlove stop adding singleton methods to the mysql2 adapter 6828ae7
@tenderlove tenderlove stop adding singleton methods to the SQLite3 connection 46c57ec
@tenderlove tenderlove rm LogIntercepter a0420d4
@tenderlove tenderlove prepare the statement inside the begin / rescue block 19fc886
@tenderlove tenderlove log every sql statement, even when they error 98e0016
@tenderlove tenderlove log the statement name along with the SQL 2ae9166
@tenderlove tenderlove instrumenter can't be cached because the app could be called from
different threads.
21a71cd
@laserlemon @christhekeele laserlemon Always compact array parameters rather than setting them to nil
Rebase reapplication of #9569, thanks to @collectiveidea and @laserlemon

The CVE-2013-0155 security vulnerability outlines how array parameters
containing nil values can be dangerous when accepted directly into
Active Record finder methods. The previous fix has been to detect array
parameters with nil values and to clobber the entire array into nil.

Instead, compacting the array solves the security issue and causes less
surprise in the case where array parameters are expected, as is often
the case when accepting nested attributes for collections.
d45f61a
@christhekeele christhekeele Re-rebase off of master. 1755937
Owner

Hey guys, thank you for submitting this and expressing your concerns about this issue! Speaking for myself, I understand where you are coming from, and I agree we could do better. Unfortunately, this PR does not meet our requirements for an acceptable solution to the problem.

Please head over to #13420 for the background and contribute your ideas. Thanks again! ❤️ 💚 💙 💛 💜

Contributor
imanel commented Dec 20, 2013

May I ask for squashing this one and removing those strange commits inside? It's really hard to review it.

Except of that it looks that the only difference is that it's not changing empty array to nil but leaves it as array - this is nice as type is not changed. As I strongly believe that CVE-2013-0155 should use at least blank? instead of nil? the main idea is to be "secure by default" - even with cost of breaking some API's for now.

Fortunately you can disable deep munge in Rails 4.1 so if you need proper params handling you have tools for that. In the mean time I will gladly hear suggestions in #13215, as this is probably first try to fix problem without tradeoffs.

EDIT: Table for this one:

JSON Hash
{"person":null} {'person' => nil}
{"person":[]} {'person' => []}
{"person":[null]} {'person' => []}
{"person":[null, null, ...]} {'person' => []}
{"person":["foo", null]} {'person' => ["foo"]}

As mentioned above it maintains type passed in JSON and blank? will detect if it's empty.

@chancancode chancancode was assigned Jan 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment