Ensure params filtering take precedence over hash/array objects #567
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @carlosantoniodasilva, thanks for the PR. It's quite good at all! Tests are failing in Travis because a problem between our gemfiles and changes in rubygems. We'll fix master and merge a new PR with your commits, I think that will be the easiest. |
|
@jondeandres sounds good, thanks! If you want I can also merge master back here when it's resolved there, just let me know. |
|
I just pushed a fix for the tests to master. Could you merge master back into your branch? |
This matches the current Rails implementation of parameter filtering,
where it is possible to set a filter that will hide an entire array or
nested hash, instead of just the inner keys.
Consider the following params payload:
user: { username: "foo", password: "bar" }
Currently we can set a filter for both "username" and "password", but
setting for the entire "user" params hash does not work, it's simply
ignored, because we parse hashes separately looking at each individual
key first.
With this change, setting a filter for "user" would effectively hide it
from the payload, scrubbing the field as expected.
We do not rely on the result of the matching, or any part of it, just
whether it matches or not, so === is preferable as it's slightly faster
by not creating extra matching objects.
Also remove the condition for nil as it responds to === and always
returns false.
>> nil === 'zomg'
=> false
carlosantoniodasilva
force-pushed
the
fix-param-filter-array-hash
branch
from
94ae311
to
b2eba0e
Compare
|
@rokob thanks, I've rebased from master and CI is running again. |
|
This looks good to me, thanks! |
|
@rokob, can you release this? |
|
Yeah I will try to get a release out today. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This matches the current Rails implementation of parameter filtering, where it is possible to set a filter that will hide an entire array or nested hash, instead of just the inner keys.
Consider the following params payload:
Currently we can set a filter for both "username" and "password", but setting for the entire "user" params hash does not work, it's simply ignored, because we parse hashes separately looking at each individual key first - before checking the configured filter.
With this change, setting a filter for "user" would effectively hide it from the payload, scrubbing the field as expected, since we first check the filter before proceeding with other processing.
Unrelated: I'm getting this failure locally on both master and this branch:
I haven't stopped to check it properly, but doesn't seem to be related to the changes here since it's also happening on master.
Let me know if I can help with anything!