Improve requiring of scalar parameters

[p8]

Summary

The usage of ActionController::Parameters#require is a bit ambiguous.
It can be called for hashes, arrays and scalar values.
When a scalar value is expected but a hash is passed you might get
unexpected results:

ActionController::Parameters.new(name: { first: "Francesco" }).require(:name).downcase
# => NoMethodError (undefined method `downcase' for #<ActionController::Parameters:0x00007f8c631264b0>)

Similarly, when a hash is expected but a scalar value is passed:

ActionController::Parameters.new(person: "Francesco").require(:person).permit(:name)
# => NoMethodError (undefined method `permit' for "Francesco":String)

This requires developers to handle these unexpected exceptions instead
of just rescuing/ignoring ActionController::ParameterMissing.

There even is a warning documented in the rdoc of require to be
careful when requiring terminal values. For example, calling require
without permit can have unexpected results if unpermitted values are
passed:

ActionController::Parameters.new(name: Object.new).require(:name)
# => #<Object:0x00007f8c58637180>

Separate require methods for scalar and non scalar params

By restricting require to arrays and hashes, and adding a
require_scalar method for scalar values we can prevent these problems.

This allows us to raise an ActionController::ParameterMissing if a
required param doesn't have the expected type:

# when a hash is passed but a scalar value is expected
ActionController::Parameters.new(name: { first: "Francesco" }).require_scalar(:name).downcase
# => ActionController::ParameterMissing (param is missing or the value is empty: name)

# when a scalar value is passed but a hash is expected
ActionController::Parameters.new(person: "Francesco").require(:person).permit(:name)
# => ActionController::ParameterMissing (param is missing or the value is empty: person)

require_scalar also restricts the required values to permitted
scalar values.

ActionController::Parameters.new(name: Object.new).require_scalar(:name)
# => ActionController::ParameterMissing (param is missing or the value is empty: name)

Fixes: #42953

Other Information

This would be a breaking change requiring deprecation warnings.

Maybe we should make it even stricter and introduce methods
for each permited scalar type. This allows us to have stricter
checks and maybe even coerce to the proper type:

params = ActionController::Parameters.new(name: "Francesco", age: "22", active: "true")
params.require_string(:name) # => "Francesco"
params.require_integer(:age) # => 22
params.require_boolean(:active) # => true

[rails-bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

[martinemde]

RubyGems.org gets hit with enough pen-testing that this is a real annoyance. I would really love to see something like this in rails, but barring that, I'd like to see your code extracted to a gem.

@p8, what do you think?

[p8]

@martinemde Feel free to extract this to a gem 😄