Geek Answers Handbook

Rails 5 - Can someone explain how creating URLs from un-sanitized request parameters is unsafe?

Say I have the following:

link_to "Excel", params.merge(format: 'xlsx')

Rails 5 says

Trying to create a url from parameters without a sanitized request! An attacker could enter malicious data into the generated URL, for example, change the host. Whitelist and sanitize transferred parameters to ensure security.

I think I don’t understand how unsafe it is. Anyone can enter whatever they want into the browser and execute a GET request to my server. Who cares?

I know I can get around this with permit! What I'm trying to understand is what disinfects my settings.

+5
source share
2 answers

You should look at the documentation from both OWASP and Rails .

Using permit , you have the option to prevent the setting of attributes that you do not want to pass to your helper URL.

Consider the following link to your site coming from a Twitter message:

 http://example.com/your/action?host=phishingscam.example&path=login

If your code looks like this, you have problems:

 link_to 'View Something', params.merge(format: 'xlsx')

Now the link goes to:

 http://phishingscam.example/login.xlsx

The attacking website phishingscam.example can set the content type to text/html and display a page similar to your registration form. A user who was on your site a minute ago and clicked to see something on your site believes that he is logged out and needs to log in again. Now our attacker has user credentials and can redirect them back to the appropriate link with a user who is completely unaware of what happened.

This is a simple scenario. Things can get messy pretty quickly. You should read the Rails Security Guide to find out more.

+7
source

A simple way:

if you have something like this:

 link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}

You must enable in allow options.

You can use this:

 link_to title, params.permit(:direction, :page).merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}

Voila !!

+1
source

More articles:


All Articles