h0jeZvgoxFepBQ2C
commented
2 years ago Can this be merged please? :D
Closed ghost closed 2 years ago
h0jeZvgoxFepBQ2C
commented
2 years ago Can this be merged please? :D
AaronLasseigne
commented
2 years ago I don't think this is good from a security point of view. I don't mind calling to_unsafe_h on the main inputs because you have to define each input you want with a filter. We throw out everything else. In the case of a hash you could use set strip: false and pass in a bunch of params not realizing what you've got. If you use that in a mass assignment it could cause issues. That's why Rails added strong params. If someone wants to pass the params into a hash I think it might be more reasonable to make them call to_unsafe_h so they know they're avoiding strong params.
Convert
ActionController::Parameterstohashfor hash inputs, the same way ActiveInteraction already converts ActionController::Parameters for overall inputs.Previously, if
paramsis an ActionController::Params andhis a hash input, thenInteraction.run(params)would work, butInteraction.run(h: params)would raise an InvalidValueError.This PR makes the latter case "just work".