Why slicing the params hash poses a security issue on mass-assignment?

前端 未结 5 1040
余生分开走
余生分开走 2021-02-13 03:25

The official way of preventing security risks with mass-assignment is using attr_accessible. However, some programmers feel this is not a job for the model (or at least not

5条回答
  •  花落未央
    2021-02-13 03:49

    Interesting gist from DHH on slicing in controller vs whitelisting alone:

    https://gist.github.com/1975644

    class PostsController < ActionController::Base
      def create
        Post.create(post_params)
      end
    
      def update
        Post.find(params[:id]).update_attributes!(post_params)
      end
    
      private
        def post_params
          params[:post].slice(:title, :content)
        end
    end
    

    Comment reinforcing the need to manage this within the controller:

    https://gist.github.com/1975644#gistcomment-88369

    I personally apply both - attr_accessible with slice to ensure nothing unexpected gets through. Never rely on blacklisting alone!

提交回复
热议问题