Martin Emde - Martin Emde

Software Engineer Consultant at Cloud City Development. Maintainer of RubyGems, RubyGems.org & Bundler. Learn more about my work on GitHub.

Latest Updates

How to convert to `params.expect` in Rails 8.0

After updating RubyGems.org to use the new params.expect feature in Rails 8, I thought it might be helpful to go over a few of the challenges I ran into.

Why Should I Convert to `params.expect`?

The new expect method for filtering params protects against user param tampering that can cause hard to rescue errors.

How to: Rails `params.expect`

In this post I will describe the new params.expect feature that I recently added to Rails 8 and go over how it works and how to use it.

Update: For an implementation guide, see my second post on params.expect.

params: An Attack Vector

All web application programmers learn not to trust user input.

Rails has long provided a simple pattern to prevent param tampering: params.permit. This protects our app from users that may alter params in order to insert attributes or alter behavior, like assigning admin to yourself.

  def update
    user_params = params.require(:user).permit(:name, :favorite_pie)

    if @user.update(user_params)
      redirect_to :user
    else
      render :edit
    end
  end

This works great when users submit the form correctly and even when they try to insert extra fields, like admin=true into the params. These attacks get filtered out.

But protecting us from correctly submitted forms and extra attributes is not enough. What if, as we regularly see on RubyGems.org, a user is trying to break your application by submitting malformed params? Problems start to emerge.

The solution in Rails 8 is the new params.expect.