Skip to content

Log for which keys values were set to nil in deep_munge#13813

Merged
rafaelfranca merged 1 commit intorails:masterfrom
lukesarnacki:log-deep-munge
Jan 29, 2014
Merged

Log for which keys values were set to nil in deep_munge#13813
rafaelfranca merged 1 commit intorails:masterfrom
lukesarnacki:log-deep-munge

Conversation

@lukesarnacki
Copy link
Copy Markdown
Contributor

@lukesarnacki lukesarnacki commented Jan 23, 2014

I think we all want deep_munge to be gone soon, but I am afraid that we will have to wait little bit longer. There are many developers which are not aware of this behaviour so I thought that it would be nice of RoR if there was some kind of hint of what actually happened, so I added log message when value is set to nil in deep_munge.

I hope that with #13420 we will quickly make code from this PR go away, but in case it will take bit longer...

Any suggestions for better log message would be awesome.

rafaelfranca
rafaelfranca reviewed Jan 23, 2014
View reviewed changes
actionpack/CHANGELOG.md Outdated
Copy link
Copy Markdown
Member

@rafaelfranca rafaelfranca Jan 23, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

@rafaelfranca
Copy link
Copy Markdown
Member

rafaelfranca commented Jan 23, 2014

Seems a good plan to me.

@chancancode
Copy link
Copy Markdown
Member

chancancode commented Jan 23, 2014

👍

@lukesarnacki
Copy link
Copy Markdown
Contributor Author

lukesarnacki commented Jan 23, 2014

@rafaelfranca @chancancode I fixed typos and made logs a little bit smarter, so i.e. params[:article][:tags] is printed instead of just :tags. I will add mention about deep_munge to guides and will link to it in log message later today.

@lukesarnacki
Copy link
Copy Markdown
Contributor Author

lukesarnacki commented Jan 24, 2014

@rafaelfranca @chancancode I added deep_munge description in guides. One mention is in action controller overview in "Hash and array parameters" section, second one is in security guide as "Unsafe query generation" chapter. I think it covers this well, I am not sure if this is in proper place when it comes to security guide.

Output of command will look like:

Value for params[:article][:tags] was set to nil, because it was one of [], [null] or [null, null, ...]. \
Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation for more information.

(new line here is made for better readibility)

rafaelfranca
rafaelfranca reviewed Jan 24, 2014
View reviewed changes
guides/source/action_controller_overview.md Outdated
Copy link
Copy Markdown
Member

@rafaelfranca rafaelfranca Jan 24, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be "in params" since we are talking about the method. If we are talking about the parameters, it should be "in parameters"

Copy link
Copy Markdown
Member

@robin850 robin850 Jan 24, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an extra space between the penultimate period and "See". Could you also wrap new additions around 80 chars please ? 😃

@lukesarnacki
Copy link
Copy Markdown
Contributor Author

lukesarnacki commented Jan 27, 2014

@rafaelfranca I corrected mistakes you pointed out and added mention in configuration guide.

@robin850 Yeah, that line started to be very long ;) I changed it to multiline string.

robin850
robin850 reviewed Jan 28, 2014
View reviewed changes
guides/source/action_controller_overview.md Outdated
Copy link
Copy Markdown
Member

@robin850 robin850 Jan 28, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you wrap your additions around 80 chars please ? The other guides aren't wrapped too. 😄

Also, this will need to be rebased. Thanks for the great work here so far! 👍

Copy link
Copy Markdown
Contributor Author

@lukesarnacki lukesarnacki Jan 28, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thanks for heads up, is it ok now? :)

@lukesarnacki
Log which keys were set to nil in deep_munge
69ab91a 
deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.

Also mentions in guides were added.
rafaelfranca added a commit that referenced this pull request Jan 29, 2014
@rafaelfranca
Merge pull request #13813 from lukesarnacki/log-deep-munge
0fcbc65 
Log for which keys values were set to nil in deep_munge
@rafaelfranca rafaelfranca merged commit 0fcbc65 into rails:master Jan 29, 2014
@rafaelfranca
Copy link
Copy Markdown
Member

rafaelfranca commented Jan 29, 2014

Thank @lukesarnacki. Very good PR as always ❤️

@lukesarnacki
Copy link
Copy Markdown
Contributor Author

lukesarnacki commented Jan 29, 2014

Thanks @rafaelfranca :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

5 participants

@lukesarnacki @rafaelfranca @chancancode @egilburg @robin850