diff options
| author | Prem Sichanugrist <s@sikac.hu> | 2014-07-25 12:00:14 -0400 |
|---|---|---|
| committer | Prem Sichanugrist <s@sikac.hu> | 2014-08-18 20:42:45 -0400 |
| commit | 5109740c6be67047df56feb164012c3a1a3c619b (patch) | |
| tree | c0cf051b99bc489055c747d7d143fd53cac7e9d3 /actionpack/lib/action_controller | |
| parent | dfeeecd2f3bde70f22174843ccfc594610b4eebc (diff) | |
| download | rails-5109740c6be67047df56feb164012c3a1a3c619b.tar.gz rails-5109740c6be67047df56feb164012c3a1a3c619b.tar.bz2 rails-5109740c6be67047df56feb164012c3a1a3c619b.zip | |
Make `AC::Params#to_h` return Hash with safe keys
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
Diffstat (limited to 'actionpack/lib/action_controller')
| -rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index bc27ecaa20..764474ad4e 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -141,6 +141,25 @@ module ActionController @permitted = self.class.permit_all_parameters end + # Returns a safe +Hash+ representation of this parameter with all + # unpermitted keys removed. + # + # params = ActionController::Parameters.new({ + # name: 'Senjougahara Hitagi', + # oddity: 'Heavy stone crab' + # }) + # params.to_h # => {} + # + # safe_params = params.permit(:name) + # safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} + def to_h + if permitted? + super + else + slice(*self.class.always_permitted_parameters).permit!.to_h + end + end + # Attribute that keeps track of converted arrays, if any, to avoid double # looping in the common use case permit + mass-assignment. Defined in a # method to instantiate it only if needed. |