diff options
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_controller/log_subscriber.rb | 9 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/request/utils.rb | 13 |
2 files changed, 18 insertions, 4 deletions
diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb index 9279d8bcea..823a1050b5 100644 --- a/actionpack/lib/action_controller/log_subscriber.rb +++ b/actionpack/lib/action_controller/log_subscriber.rb @@ -53,6 +53,15 @@ module ActionController debug("Unpermitted parameters: #{unpermitted_keys.join(", ")}") end + def deep_munge(event) + message = "Value for params[:#{event.payload[:keys].join('][:')}] was set"\ + "to nil, because it was one of [], [null] or [null, null, ...]."\ + "Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation"\ + "for more information."\ + + debug(message) + end + %w(write_fragment read_fragment exist_fragment? expire_fragment expire_page write_page).each do |method| class_eval <<-METHOD, __FILE__, __LINE__ + 1 diff --git a/actionpack/lib/action_dispatch/request/utils.rb b/actionpack/lib/action_dispatch/request/utils.rb index a6dca9741c..9d4f1aa3c5 100644 --- a/actionpack/lib/action_dispatch/request/utils.rb +++ b/actionpack/lib/action_dispatch/request/utils.rb @@ -7,18 +7,23 @@ module ActionDispatch class << self # Remove nils from the params hash - def deep_munge(hash) + def deep_munge(hash, keys = []) return hash unless perform_deep_munge hash.each do |k, v| + keys << k case v when Array - v.grep(Hash) { |x| deep_munge(x) } + v.grep(Hash) { |x| deep_munge(x, keys) } v.compact! - hash[k] = nil if v.empty? + if v.empty? + hash[k] = nil + ActiveSupport::Notifications.instrument("deep_munge.action_controller", keys: keys) + end when Hash - deep_munge(v) + deep_munge(v, keys) end + keys.pop end hash |