Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

new applications enforce whitelist mode for mass assignment #4062

Closed
wants to merge 1 commit into from

6 participants

Sergey Nartimov José Valim Jeremy Kemper Alexey Muranov Xavier Noria David Heinemeier Hansson
Sergey Nartimov

Previous issues #3453 and #3952, according to discussion it's ok to enable it in 4.0

Sergey Nartimov

@josevalim Could you give comments about it? Can it be in 4.0?

José Valim
Owner

I have asked other Rails Core Teams for feedback. Let's wait. :) /cc @jeremy @dhh @fxn

Sergey Nartimov

Updated description to include both issues with discussion

Jeremy Kemper
Owner

Mixed feelings about this. +1 to secure-by-default, but geez, how did we end up here, having to list out accessible attributes for every model?

Seems like a lot of paperwork.

(If we do turn this on by default, the model generator should include attr_accessible too.)

Alexey Muranov

How about #3157?

Alexey Muranov

I think, during development i would like to not to have to whitelist all needed attributes. In fact, i plan to use mass assignment security only in subclasses, not in the base classes that inherit directly from ActiveRecord::Base.

Xavier Noria
Owner

Same feeling as @jeremy secure by default sounds good, but geez. Not sure I like this as a default. We have SQLite as default to be able to fire up an application quickly and try stuff. People can opt-in... not convinced.

David Heinemeier Hansson
Owner
dhh commented

Yeah, I don't like this idea either. -1.

José Valim josevalim closed this
Xavier Ordoquy xordoquy referenced this pull request in tomchristie/django-rest-framework
Closed

Notes on migrating from DRF 2.4 to 3.0 #2375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 20, 2011
  1. Sergey Nartimov
This page is out of date. Refresh to see the latest.
4 railties/CHANGELOG.md
View
@@ -1,3 +1,7 @@
+## Rails 4.0.0 (unreleased) ##
+* New applications enforce whitelist mode for mass assignment using `config.active_record.whitelist_attributes`
+ turned on by default in `config/application.rb`. *Sergey Nartimov*
+
## Rails 3.2.0 (unreleased) ##
* Added `config.exceptions_app` to set the exceptions application invoked by the ShowException middleware when an exception happens. Defaults to `ActionDispatch::PublicExceptions.new(Rails.public_path)`. *José Valim*
4 railties/lib/rails/generators/rails/app/templates/config/application.rb
View
@@ -54,12 +54,14 @@ class Application < Rails::Application
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
+<% unless options.skip_active_record? -%>
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
- # config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = true
+<% end -%>
<% unless options.skip_sprockets? -%>
# Enable the asset pipeline
config.assets.enabled = true
13 railties/test/application/configuration_test.rb
View
@@ -283,15 +283,22 @@ def index
end
test "sets all Active Record models to whitelist all attributes by default" do
+ require "#{app_path}/config/environment"
+
+ assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
+ ActiveRecord::Base.active_authorizers[:default].class
+ assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
+ end
+
+ test "sets all Active Record models to blacklist all attributes by default when whitelist is disabled" do
add_to_config <<-RUBY
- config.active_record.whitelist_attributes = true
+ config.active_record.whitelist_attributes = false
RUBY
require "#{app_path}/config/environment"
- assert_equal ActiveModel::MassAssignmentSecurity::WhiteList,
+ assert_equal ActiveModel::MassAssignmentSecurity::BlackList,
ActiveRecord::Base.active_authorizers[:default].class
- assert_equal [""], ActiveRecord::Base.active_authorizers[:default].to_a
end
test "registers interceptors with ActionMailer" do
1  railties/test/application/loading_test.rb
View
@@ -19,6 +19,7 @@ def app
test "constants in app are autoloaded" do
app_file "app/models/post.rb", <<-MODEL
class Post < ActiveRecord::Base
+ attr_accessible :title
validates_acceptance_of :title, :accept => "omg"
end
MODEL
10 railties/test/generators/app_generator_test.rb
View
@@ -202,7 +202,10 @@ def test_config_jdbc_database_when_no_option_given
def test_generator_if_skip_active_record_is_given
run_generator [destination_root, "--skip-active-record"]
assert_no_file "config/database.yml"
- assert_file "config/application.rb", /#\s+require\s+["']active_record\/railtie["']/
+ assert_file "config/application.rb" do |content|
+ assert_match(/#\s+require\s+["']active_record\/railtie["']/, content)
+ assert_no_match(/config.active_record.whitelist_attributes = true/, content)
+ end
assert_file "test/test_helper.rb" do |helper_content|
assert_no_match(/fixtures :all/, helper_content)
end
@@ -230,6 +233,11 @@ def test_generator_if_skip_sprockets_is_given
assert_file "test/performance/browsing_test.rb"
end
+ def test_inclusion_of_activerecord_whitelist_attributes
+ run_generator([destination_root])
+ assert_file "config/application.rb", /config.active_record.whitelist_attributes = true/
+ end
+
def test_inclusion_of_therubyrhino_under_jruby
run_generator([destination_root])
if defined?(JRUBY_VERSION)
1  railties/test/isolation/abstract_unit.rb
View
@@ -261,6 +261,7 @@ def use_frameworks(arr)
:activerecord,
:activeresource] - arr
remove_from_config "config.active_record.identity_map = true" if to_remove.include? :activerecord
+ remove_from_config "config.active_record.whitelist_attributes = true" if to_remove.include? :activerecord
$:.reject! {|path| path =~ %r'/(#{to_remove.join('|')})/' }
end
Something went wrong with that request. Please try again.