我正在处理遗留 Rails 应用程序, Controller 有许多 params.permit!
实例。在其上运行 Brakeman 扫描时,params.permit!
将应用程序打开到批量分配漏洞。
我的问题是 - 绕过此 params.permit 的最有效方法是什么!漏洞并替换它?
最佳答案
params.permit!
将所有属性列入白名单,导致批量赋值漏洞。解决此问题的最佳方法是仅将必要属性列入白名单
params.permit(:attr1,:attr2..)
Allows you to choose which attributes should be whitelisted for mass updating and thus prevent accidentally exposing that which shouldn't be exposed. Provides two methods for this purpose: require and permit. The former is used to mark parameters as required. The latter is used to set the parameter as permitted and limit which attributes should be allowed for mass updating.
params.require(:key).permit(:attr1, :attr2..)
关于ruby-on-rails - Ruby on Rails - 何时使用 params.permit!以及如何更换它,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52374655/