Add configuration option to optionally disable deep_munge #13188
Conversation
|
/cc @jeremy |
|
I'm aware that |
| Please be aware of possible security issue when using this option: | ||
| [CVE-2013-0155](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI) | ||
|
|
||
| **Bernard Potocki** |
|
I'm 👍 on a config option as a pressure-release valve for users who are affected by this issue and explicitly choose to opt out of security protection. The option can be deprecated if/when we have a superior solution to the root issue. |
|
That was the intention - right now a lot of users are still on 3.2.10 or are patching Rails 4 because of this issue (I'm doing so). Should I add/modify something in order to push this forward? I also can't find test result on Travis - how to rerun pull request testing? |
|
Any update on this one? |
Add configuration option to optionally disable deep_munge Conflicts: actionpack/CHANGELOG.md
|
Thanks @imanel ! 👍 |
|
Maybe I'm not understanding how this works, but this doesn't seem to work for me in Rails 4.1.1. I'm developing a JSON API and I want clients to be able to update Array fields by passing in an empty array in the JSON. Here's what I have: # In config/application.rb
config.action_dispatch.perform_deep_munge = false# In the model
serialize :emails, Array# In the controller
def update
location = Location.find(params[:id])
location.update!(location_params)
render json: location, status: 200
end
private
def location_params
params.permit(emails: [])
end# In the spec
it 'allows empty array for serialized array fields' do
patch api_endpoint(path: "/locations/#{@loc.id}"),
{ emails: [] },
'HTTP_X_API_TOKEN' => @token
expect(json['emails']).to eq([])
endWith this setup, the spec does not pass. To make it pass, I need to explicitly set the def location_params
params[:emails] ||= []
params.permit(emails: [])
endThis works regardless of the deep munge setting, but is not ideal since I would have to do the Am I misunderstanding the deep munge setting or is it not working as expected? |
|
It looks like you're using it correctly, so it's very strange. Could you prepare example app confirming this error? I will try to check what's happening. |
|
I did some more research and found some interesting things. First, it turns out that to test an empty array, you have to specify a few more things in the spec. The hash needs it 'sets emails field to empty array when value is empty array' do
patch api_endpoint(path: "/locations/#{@loc.id}"),
{ emails: [] }.to_json,
'HTTP_X_API_TOKEN' => @token,
'Content-Type' => 'application/json'
expect(json['emails']).to eq([])
endSecond, the behavior varies depending on whether you're using it 'sets emails field to empty array when value is empty array' do
patch api_endpoint(path: "/locations/#{@loc.id}"),
{ emails: [] }.to_json,
'HTTP_X_API_TOKEN' => @token,
'Content-Type' => 'application/json'
expect(json['emails']).to eq([])
endit 'sets emails field to empty array when value is nil' do
patch api_endpoint(path: "/locations/#{@loc.id}"),
{ emails: nil }.to_json,
'HTTP_X_API_TOKEN' => @token,
'Content-Type' => 'application/json'
expect(json['emails']).to eq([])
endWith |
|
What's the earliest release where this config option is available? I'm not sure how to check. Currently using 4.0.4 and would like to be able to turn off deep munge. |
|
4.1.0. You can see this info in the commit page, just below at the commit message e8572cf |
In relation to #13157 I tried to add option to disable deep_munge if developer is willing to do so. Deep munge is enabled by default to protect those who are unaware of risk, while allowing to disable it if advanced parameter parsing is required in given application.