Skip to content

braintreeps/params_cleaner

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Params Cleaner

Travis CI Status

Usage

Params cleaner allows you to protect your Rails application from mass assignment attacks at the controller level. In any controller, simply mix in the ParamsCleaner module and specify which sub-keys are allowed for a given root key. Then, access your params using the clean_params method.

class PlayersController < ApplicationController
  include ParamsCleaner

  allowed_params :player => [:name, :email]

  def create
    @player = Player.new(clean_params[:player])

    if @player.save
      redirect_to player_path(@player)
    else
      render :new
    end
  end
end

The root keys specified will be checked on every level of the params hash, so you can easily protect deeply nested params hashes as well. For example, assume the following allowed_params declaration:

  allowed_params :player => [:name, :email]
                 :name => [:first, :last]

Now, assume the following params hash:

{
  :player => {
    :email => "drew@drewolson.org"
    :bad_key => "nefarious stuff",
    :name => {
      :first => "Drew",
      :last => "Olson",
      :nested_bad_key => "more nefarious stuff"
    }
  }
}

Here's what you'd see when calling the clean_params method:

clean_params[:player]
# => {:email => "drew@drewolson.org", :name => {:first => "Drew", :last => "Olson"}}

clean_params[:player][:name]
# => {:first => "Drew", :last => "Olson"}

ParamsCleaner also supports validating top-level params.

  allowed_params(
    :game_id,
    :player => [:name, :email]
  )

Now, assume the following params hash:

{
  :game_id => "id",
  :rating_id => "id",
  :player => {
    :email => "drew@drewolson.org"
    :bad_key => "nefarious stuff",
    :name => "Drew Olson"
  }
}

Here's what you'd see when calling the clean_params method:

clean_params
# => {:game_id => "id", :player => {:email => "drew@drewolson.org", :name => "Drew Olson"}}

You can even specify valid params for a given action:

  allowed_params_for :create, :player => [:name, :email]
  allowed_params_for :update, :player => [:name]

About

Rails mass assignment protection in the controller

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 100.0%