Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Filters out file uploads #89

ollym opened this Issue · 7 comments

3 participants


In the latest master revision. Had to revert to the gem....


Could you explain you issue better?

form_for @user, multipart: true do |f|
   f.file_field :image

When using master branch:

params.require(:user).permit :image # => {}

When using gem:

params.require(:user).permit :image # => { image: ... }

Can you try using the master branch of the gem? We whitelist scalar values now maybe there's an edge case there.


@fxn Looks like you would have fixed in that latest commit. However I'm not sure why, but in the back of my mind I remember the file coming in as a Rack class? Maybe ?

You need to write better test cases for this.


It is not a matter of better tests. We have a strict list of whitelisted types, if the type is not there it is not a permitted scalar by definition.

The list of permitted scalars is new, if you confirm the type is legit and not included, then we will include it.


@fxn What issue does this strict whitelisting solve?


It is a first-line defense against unwanted injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.