Martin Emde - Martin Emde

Learn more about my work on GitHub.

Latest Updates

Announcing The Gem Cooperative

don’t put all your gems in one basket

The former team from rubygems.org is excited to announce a new gem server for the Ruby community:

Right now, the current versions of RubyGems and Bundler work with this new server. All Ruby developers are welcome to switch to using this new server immediately. Just swap your primary source to https://gem.coop

The gem.coop server is simple and we aim to keep it that way. We plan to add features that serve to increase security and make packaging blazing fast. We want the default choice to be the secure choice.

Join us!

You can join us on the Bundler Slack to get involved in the discussion.

Questions?

How to convert to `params.expect` in Rails 8.0

After updating RubyGems.org to use the new params.expect feature in Rails 8, I thought it might be helpful to go over a few of the challenges I ran into.

Why Should I Convert to `params.expect`?

The new expect method for filtering params protects against user param tampering that can cause hard to rescue errors.

How to: Rails `params.expect`

In this post I will describe the new params.expect feature that I recently added to Rails 8 and go over how it works and how to use it.

Update: For an implementation guide, see my second post on params.expect.

params: An Attack Vector

All web application programmers learn not to trust user input.

Rails has long provided a simple pattern to prevent param tampering: params.permit. This protects our app from users that may alter params in order to insert attributes or alter behavior, like assigning admin to yourself.

  def update
    user_params = params.require(:user).permit(:name, :favorite_pie)

    if @user.update(user_params)
      redirect_to :user
    else
      render :edit
    end
  end

This works great when users submit the form correctly and even when they try to insert extra fields, like admin=true into the params. These attacks get filtered out.

But protecting us from correctly submitted forms and extra attributes is not enough. What if, as we regularly see on RubyGems.org, a user is trying to break your application by submitting malformed params? Problems start to emerge.

The solution in Rails 8 is the new params.expect.