New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log for which keys values were set to nil in deep_munge #13813

Merged
merged 1 commit into from Jan 29, 2014

Conversation

Projects
None yet
5 participants
@lukesarnacki
Contributor

lukesarnacki commented Jan 23, 2014

I think we all want deep_munge to be gone soon, but I am afraid that we will have to wait little bit longer. There are many developers which are not aware of this behaviour so I thought that it would be nice of RoR if there was some kind of hint of what actually happened, so I added log message when value is set to nil in deep_munge.

I hope that with #13420 we will quickly make code from this PR go away, but in case it will take bit longer...

Any suggestions for better log message would be awesome.

@rafaelfranca

View changes

Show outdated Hide outdated actionpack/CHANGELOG.md
@rafaelfranca

View changes

Show outdated Hide outdated actionpack/CHANGELOG.md
@rafaelfranca

View changes

Show outdated Hide outdated actionpack/CHANGELOG.md
@rafaelfranca

View changes

Show outdated Hide outdated actionpack/lib/action_dispatch/request/utils.rb
@rafaelfranca

View changes

Show outdated Hide outdated actionpack/lib/action_controller/log_subscriber.rb
@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca

rafaelfranca Jan 23, 2014

Member

Seems a good plan to me.

Member

rafaelfranca commented Jan 23, 2014

Seems a good plan to me.

@chancancode

This comment has been minimized.

Show comment
Hide comment
@chancancode
Member

chancancode commented Jan 23, 2014

👍

@lukesarnacki

This comment has been minimized.

Show comment
Hide comment
@lukesarnacki

lukesarnacki Jan 23, 2014

Contributor

@rafaelfranca @chancancode I fixed typos and made logs a little bit smarter, so i.e. params[:article][:tags] is printed instead of just :tags. I will add mention about deep_munge to guides and will link to it in log message later today.

Contributor

lukesarnacki commented Jan 23, 2014

@rafaelfranca @chancancode I fixed typos and made logs a little bit smarter, so i.e. params[:article][:tags] is printed instead of just :tags. I will add mention about deep_munge to guides and will link to it in log message later today.

@lukesarnacki

This comment has been minimized.

Show comment
Hide comment
@lukesarnacki

lukesarnacki Jan 24, 2014

Contributor

@rafaelfranca @chancancode I added deep_munge description in guides. One mention is in action controller overview in "Hash and array parameters" section, second one is in security guide as "Unsafe query generation" chapter. I think it covers this well, I am not sure if this is in proper place when it comes to security guide.

Output of command will look like:

Value for params[:article][:tags] was set to nil, because it was one of [], [null] or [null, null, ...]. \
Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation for more information.

(new line here is made for better readibility)

Contributor

lukesarnacki commented Jan 24, 2014

@rafaelfranca @chancancode I added deep_munge description in guides. One mention is in action controller overview in "Hash and array parameters" section, second one is in security guide as "Unsafe query generation" chapter. I think it covers this well, I am not sure if this is in proper place when it comes to security guide.

Output of command will look like:

Value for params[:article][:tags] was set to nil, because it was one of [], [null] or [null, null, ...]. \
Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation for more information.

(new line here is made for better readibility)

@rafaelfranca

View changes

Show outdated Hide outdated guides/source/action_controller_overview.md
@rafaelfranca

View changes

Show outdated Hide outdated guides/source/security.md
@rafaelfranca

View changes

Show outdated Hide outdated guides/source/security.md
@rafaelfranca

View changes

Show outdated Hide outdated guides/source/security.md
@robin850

View changes

Show outdated Hide outdated actionpack/lib/action_controller/log_subscriber.rb
@lukesarnacki

This comment has been minimized.

Show comment
Hide comment
@lukesarnacki

lukesarnacki Jan 27, 2014

Contributor

@rafaelfranca I corrected mistakes you pointed out and added mention in configuration guide.

@robin850 Yeah, that line started to be very long ;) I changed it to multiline string.

Contributor

lukesarnacki commented Jan 27, 2014

@rafaelfranca I corrected mistakes you pointed out and added mention in configuration guide.

@robin850 Yeah, that line started to be very long ;) I changed it to multiline string.

@robin850

View changes

Show outdated Hide outdated guides/source/action_controller_overview.md
Log which keys were set to nil in deep_munge
deep_munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confuisng. This commit adds logging to deep_munge.
It logs keys for which values were set to nil.

Also mentions in guides were added.

rafaelfranca added a commit that referenced this pull request Jan 29, 2014

Merge pull request #13813 from lukesarnacki/log-deep-munge
Log for which keys values were set to nil in deep_munge

@rafaelfranca rafaelfranca merged commit 0fcbc65 into rails:master Jan 29, 2014

1 check passed

default The Travis CI build passed
Details
@rafaelfranca

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca

rafaelfranca Jan 29, 2014

Member

Thank @lukesarnacki. Very good PR as always ❤️

Member

rafaelfranca commented Jan 29, 2014

Thank @lukesarnacki. Very good PR as always ❤️

@lukesarnacki

This comment has been minimized.

Show comment
Hide comment
@lukesarnacki

lukesarnacki Jan 29, 2014

Contributor

Thanks @rafaelfranca :)

Contributor

lukesarnacki commented Jan 29, 2014

Thanks @rafaelfranca :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment