Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log for which keys values were set to nil in deep_munge #13813

Merged
merged 1 commit into from Jan 29, 2014

Conversation

lukesarnacki
Copy link
Contributor

I think we all want deep_munge to be gone soon, but I am afraid that we will have to wait little bit longer. There are many developers which are not aware of this behaviour so I thought that it would be nice of RoR if there was some kind of hint of what actually happened, so I added log message when value is set to nil in deep_munge.

I hope that with #13420 we will quickly make code from this PR go away, but in case it will take bit longer...

Any suggestions for better log message would be awesome.

@@ -1,3 +1,11 @@
* Log which keys were affected by deep munge
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

@rafaelfranca
Copy link
Member

Seems a good plan to me.

@chancancode
Copy link
Member

👍

@lukesarnacki
Copy link
Contributor Author

@rafaelfranca @chancancode I fixed typos and made logs a little bit smarter, so i.e. params[:article][:tags] is printed instead of just :tags. I will add mention about deep_munge to guides and will link to it in log message later today.

@lukesarnacki
Copy link
Contributor Author

@rafaelfranca @chancancode I added deep_munge description in guides. One mention is in action controller overview in "Hash and array parameters" section, second one is in security guide as "Unsafe query generation" chapter. I think it covers this well, I am not sure if this is in proper place when it comes to security guide.

Output of command will look like:

Value for params[:article][:tags] was set to nil, because it was one of [], [null] or [null, null, ...]. \
Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation for more information.

(new line here is made for better readibility)

@@ -112,6 +112,8 @@ NOTE: The actual URL in this example will be encoded as "/clients?ids%5b%5d=1&id

The value of `params[:ids]` will now be `["1", "2", "3"]`. Note that parameter values are always strings; Rails makes no attempt to guess or cast the type.

NOTE: Since `3.2.8` version of rails, values such as `[]`, `[nil]` or `[nil, nil, ...]` in params are replaced with `nil` for security reasons by default. See [Security Guide](security.html#unsafe-query-generation) for more information.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be "in params" since we are talking about the method. If we are talking about the parameters, it should be "in parameters"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an extra space between the penultimate period and "See". Could you also wrap new additions around 80 chars please ? 😃

@lukesarnacki
Copy link
Contributor Author

@rafaelfranca I corrected mistakes you pointed out and added mention in configuration guide.

@robin850 Yeah, that line started to be very long ;) I changed it to multiline string.

@@ -112,6 +112,8 @@ NOTE: The actual URL in this example will be encoded as "/clients?ids%5b%5d=1&id

The value of `params[:ids]` will now be `["1", "2", "3"]`. Note that parameter values are always strings; Rails makes no attempt to guess or cast the type.

NOTE: Values such as `[]`, `[nil]` or `[nil, nil, ...]` in `params` are replaced with `nil` for security reasons by default. See [Security Guide](security.html#unsafe-query-generation) for more information.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you wrap your additions around 80 chars please ? The other guides aren't wrapped too. 😄

Also, this will need to be rebased. Thanks for the great work here so far! 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, thanks for heads up, is it ok now? :)

deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.

Also mentions in guides were added.
rafaelfranca added a commit that referenced this pull request Jan 29, 2014
Log for which keys values were set to nil in deep_munge
@rafaelfranca rafaelfranca merged commit 0fcbc65 into rails:master Jan 29, 2014
@rafaelfranca
Copy link
Member

Thank @lukesarnacki. Very good PR as always ❤️

@lukesarnacki
Copy link
Contributor Author

Thanks @rafaelfranca :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants