Skip to content
This repository

Taint and required checking for Action Pack and enforcement in Active Model

branch: required_method

This branch is 1 commit ahead and 194 commits behind master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 test
Octocat-spinner-32 .gitignore
Octocat-spinner-32 Gemfile
Octocat-spinner-32 Gemfile.lock
Octocat-spinner-32 MIT-LICENSE
Octocat-spinner-32 README.rdoc
Octocat-spinner-32 Rakefile
Octocat-spinner-32 strong_parameters.gemspec
README.rdoc

Strong Parameters

Action Controller parameter attributes are now tainted by default and Active Model has been extended to check for tainted on mass assignment. This means you'll have to make a conscious choice about which attributes to allow for mass updating and this prevent accidentally exposing that which shouldn't be exposed.

In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.

class PeopleController < ActionController::Base
  # This will raise an ActiveModel::TaintedAttributes exception because it's using mass assignment
  # without an explicit permit step
  def create
    Person.create(params[:person])
  end

  # This will pass with flying colors as long as there's a person key in the parameters, otherwise
  # it'll raise a ActionController::MissingParameter exception, which will get caught by 
  # ActionController::Base and turned into that 400 Bad Request reply.
  def update
    redirect_to current_account.people.find(params[:id]).tap do |person|
      person.update_attributes!(person_params)
    end
  end

  private
    # Using a private method to encapsulate the permissible parameters is just a good pattern
    # since you'll be able to reuse the same permit list between create and update. Also, you
    # can specialize this method with per-user checking of permissible attributes.
    def person_params
      params.required[:person].permit(:name, :age)
    end
end

Thanks to Nick Kallen for the tainting idea!

Todos

  • Make this play nice with nested parameters [???]. Design:

    params.permit(:name, friends: [ :name, { family: [ :name ] }])
  • Automatically untaint parameters coming from a signed form [Yehuda]

Something went wrong with that request. Please try again.