As part of Cloud City Development’s ongoing effort to support Ruby open source, I’m proud to announce the new params.expect
feature recently added to Rails 8.
params: An Attack Vector
All web application programmers learn not to trust user input.
Rails has long provided a simple pattern to prevent param tampering: params.permit
. This protects our app from users that may alter params in order to insert attributes or alter behavior, like assigning admin to yourself.
This works great when users submit the form correctly and even when they try to insert extra fields, like admin=true
into the params. These attacks get filtered out.
But protecting us from correctly submitted forms and extra attributes is not enough. What if, as we regularly see on RubyGems.org, a user is trying to break your application by submitting malformed params? Problems start to emerge.
The solution in Rails 8 is the new params.expect
.