Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicit parameters only #810

Open
dblock opened this issue Nov 12, 2014 · 9 comments
Open

Explicit parameters only #810

dblock opened this issue Nov 12, 2014 · 9 comments

Comments

@dblock
Copy link
Member

dblock commented Nov 12, 2014

We need a way to say: only the parameters declared are allowed. For a new API the whitelist of params could really be super useful for typos and wondering why filter_by_foobbar_id=.... isn't working when you mispelled foobar.

@tyre
Copy link
Contributor

tyre commented Nov 19, 2014

Something different from declared(params, include_missing: false)? If you would like it to raise errors, perhaps a declared!(params, options) method

@dblock
Copy link
Member Author

dblock commented Nov 19, 2014

I am thinking something global and declarative for an API.

@sunnyrjuneja
Copy link
Contributor

@dblock Can I take this on? Also, if I don't respond within 30 days anyone else should feel free to take this on.

@dblock
Copy link
Member Author

dblock commented Apr 1, 2015

Of course @whatasunnyday, no need to ask, just make pull requests!

@Fryie
Copy link

Fryie commented Jun 5, 2015

IMHO declared(params) should be the default. Otherwise, it's just too easy to inject a mass assignment vulnerability in a Grape API. This lesson has been learned by Rails, that's why we first had attribute_accessible and now strong_params.

@23tux
Copy link

23tux commented Aug 17, 2015

@Fryie +1

@wrtsprt
Copy link

wrtsprt commented Jan 7, 2016

+1!

@senhalil
Copy link

Any news on this feature? Currently we are handling this issue with a check along the lines of params.to_a - declared(params).to_a in dev/test but it is too crude.

I checked the existing PR's but it went a bit over my head unfortunately so don't think I can attack this ticket but I wanted to say that I found both of the following constructs very useful.

params(undeclared: :ignore / :raise) do
end
class MyAPI < Grape::API
   include Grape::Params::AllowAny::False / True
end

@dblock
Copy link
Member Author

dblock commented Oct 19, 2023

@timjnh asked for this feature again in #2358, anyone wants to try to take it on?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants