As part of Cloud City Development’s ongoing effort to support Ruby open source, I’m proud to announce the new params.expect feature recently added to Rails 8.
params: An Attack Vector
All web application programmers learn not to trust user input.
Rails has long provided a simple pattern to prevent param tampering: params.permit. This protects our app from users that may alter params in order to insert attributes or alter behavior, like assigning admin to yourself.
def update
user_params = params.require(:user).permit(:name, :favorite_pie)
if @user.update(user_params)
redirect_to :user
else
render :edit
end
end
This works great when users submit the form correctly and even when they try to insert extra fields, like admin=true into the params. These attacks get filtered out.
But protecting us from correctly submitted forms and extra attributes is not enough. What if, as we regularly see on RubyGems.org, a user is trying to break your application by submitting malformed params? Problems start to emerge.
The solution in Rails 8 is the new params.expect.