Re: [Rails] ArgumentError at Localhost

Ruby on Rails Tuesday, July 3, 2018

Sure. You'll need to either shim the call to raw params with something like params.to_insecure_h, or actually fix the problem by selecting the specific params you mean with a strong parameters accessor method, something like

def nav_params
params.permit(:controller, :action, :id)
end

and then refer to nav_params.merge... in your method instead of blindly taking all comers. Obviously you'd need to expand that list of allowed parameter to include any other params your actual URLs rely on (query strings, etc.). The nouns you express in that list should come from your routes file.

Walter

> On Jul 3, 2018, at 9:02 AM, Stephanie_Snowflake <spicychemist@gmail.com> wrote:
>
> Trying to update an existing app from Rails 4.2 to 5.2 (currently in Rails 5.0)
>
> Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.
>
>
> issue inside index.html.erb
>
> <%= link_to_export("Films", params) %>
>
> Anyone know of a solution to fix this.
>
> #application_helper.rb
> def link_to_export(text, params)
> if current_user.admin?
> link_to url_for(params.merge(format: "csv")), class: "btn btn-default" do
> content_tag(:i, nil, class: "fa fa-download") + " " + text
> end
> end
> end.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/20ea35b5-feb2-45ca-8428-6d9a8c58b4fa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/B6C5DD6C-76D4-4E39-8992-80DCBF473395%40wdstudio.com.
For more options, visit https://groups.google.com/d/optout.

Posted by Ruby on Rails at 6:22 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)