ArgumentError at Localhost

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ArgumentError at Localhost

Stephanie_Snowflake
Trying to update an existing app from Rails 4.2 to 5.2 (currently in Rails 5.0)

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.


issue inside index.html.erb

      <%= link_to_export("Films", params) %>

Anyone know of a solution to fix this. 

#application_helper.rb
    def link_to_export(text, params)
        if current_user.admin?
          link_to url_for(params.merge(format: "csv")), class: "btn btn-default" do
        content_tag(:i, nil, class: "fa fa-download") + " " + text
          end
        end
  end.   


--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/20ea35b5-feb2-45ca-8428-6d9a8c58b4fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ArgumentError at Localhost

Walter Lee Davis
Sure. You'll need to either shim the call to raw params with something like params.to_insecure_h, or actually fix the problem by selecting the specific params you mean with a strong parameters accessor method, something like

def nav_params
  params.permit(:controller, :action, :id)
end

and then refer to nav_params.merge... in your method instead of blindly taking all comers. Obviously you'd need to expand that list of allowed parameter to include any other params your actual URLs rely on (query strings, etc.). The nouns you express in that list should come from your routes file.

Walter

> On Jul 3, 2018, at 9:02 AM, Stephanie_Snowflake <[hidden email]> wrote:
>
> Trying to update an existing app from Rails 4.2 to 5.2 (currently in Rails 5.0)
>
> Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.
>
>
> issue inside index.html.erb
>
>       <%= link_to_export("Films", params) %>
>
> Anyone know of a solution to fix this.
>
> #application_helper.rb
>     def link_to_export(text, params)
>         if current_user.admin?
>           link_to url_for(params.merge(format: "csv")), class: "btn btn-default" do
>         content_tag(:i, nil, class: "fa fa-download") + " " + text
>           end
>         end
>   end.  
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To post to this group, send email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/20ea35b5-feb2-45ca-8428-6d9a8c58b4fa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/B6C5DD6C-76D4-4E39-8992-80DCBF473395%40wdstudio.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ArgumentError at Localhost

Stephanie_Snowflake
#film.rb
  def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Width Length Area Shelf SO Phase)
      all.join_dimensions.each do |f|
        csv << [f.serial, f.formula, f.width, f.length, f.area, f.shelf, f.sales_order_code, f.phase]
      end
    end
  end


#film_movement.rb
  def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Width Length Order User DateTime)
      all.each do |m|
        csv << [m.serial, m.formula, m.width, m.length, m.sales_order_code, m.created_at]
      end
    end
  end
end

line_item.rb
def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(SO# Type Custom-W Custom-L Pieces Wires Busbars Note)
      all.each do |o|
        csv << [o.sales_order_code, o.product_type, o.custom_width, o.custom_length, o.quantity, o.wire_length, o.busbar_type, o.note]
      end
    end
  end

#master_films.rb
 def self.to_csv(options = {})
    types = defect_types
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Mix/g Machine ITO Thinky b* Chemist Operator Inspector EffW EffL) + types
      all.each do |mf|
        csv << [mf.serial, mf.formula, mf.mix_mass, mf.machine_code, mf.film_code_top, mf.thinky_code, mf.b_value, mf.chemist, mf.operator, mf.inspector, mf.effective_width, mf.effective_length, mf.yield] + types.map{ |type| mf.defect_count(type) }
      end
    end
  end

#sales_order.rb
 def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(SO# Customer Released Due Ship-to Status Shipped Note)
      all.each do |o|
        csv << [o.code, o.customer, o.release_date, o.due_date, o.ship_to, o.status, o.ship_date, o.note]
      end
    end
  end

Is there documentation for this fav_params? 

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/3af261b8-d08c-4fba-8da3-96c6c4c70043%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ArgumentError at Localhost

Walter Lee Davis

> On Jul 3, 2018, at 9:45 AM, Stephanie_Snowflake <[hidden email]> wrote:
>
> #film.rb
>   def self.to_csv(options = {})
>     CSV.generate(options) do |csv|
>       csv << %w(Serial Formula Width Length Area Shelf SO Phase)
>       all.join_dimensions.each do |f|
>         csv << [f.serial, f.formula, f.width, f.length, f.area, f.shelf, f.sales_order_code, f.phase]
>       end
>     end
>   end
>
>
> #film_movement.rb
>   def self.to_csv(options = {})
>     CSV.generate(options) do |csv|
>       csv << %w(Serial Formula Width Length Order User DateTime)
>       all.each do |m|
>         csv << [m.serial, m.formula, m.width, m.length, m.sales_order_code, m.created_at]
>       end
>     end
>   end
> end
>
> line_item.rb
> def self.to_csv(options = {})
>     CSV.generate(options) do |csv|
>       csv << %w(SO# Type Custom-W Custom-L Pieces Wires Busbars Note)
>       all.each do |o|
>         csv << [o.sales_order_code, o.product_type, o.custom_width, o.custom_length, o.quantity, o.wire_length, o.busbar_type, o.note]
>       end
>     end
>   end
>
> #master_films.rb
>  def self.to_csv(options = {})
>     types = defect_types
>     CSV.generate(options) do |csv|
>       csv << %w(Serial Formula Mix/g Machine ITO Thinky b* Chemist Operator Inspector EffW EffL) + types
>       all.each do |mf|
>         csv << [mf.serial, mf.formula, mf.mix_mass, mf.machine_code, mf.film_code_top, mf.thinky_code, mf.b_value, mf.chemist, mf.operator, mf.inspector, mf.effective_width, mf.effective_length, mf.yield] + types.map{ |type| mf.defect_count(type) }
>       end
>     end
>   end
>
> #sales_order.rb
>  def self.to_csv(options = {})
>     CSV.generate(options) do |csv|
>       csv << %w(SO# Customer Released Due Ship-to Status Shipped Note)
>       all.each do |o|
>         csv << [o.code, o.customer, o.release_date, o.due_date, o.ship_to, o.status, o.ship_date, o.note]
>       end
>     end
>   end
>
> Is there documentation for this fav_params?

I'm not sure what your question refers to. There's no other instance of fav_params in the code you've quoted here. These are all models, not controllers, and models don't have access to the params. Read the Rails Guide about Strong Parameters. Start here: http://guides.rubyonrails.org and pick the version of Rails you are currently stuck in. You have to define the rules of the road for your application. Rails 2.3 used to do this with a macro in the model called attr_accessible. This changed to strong parameters (in the controller) in Rails 4.

Walter

>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To post to this group, send email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/3af261b8-d08c-4fba-8da3-96c6c4c70043%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/52D0C67A-8588-4AD1-B597-C0B3AF6F2A61%40wdstudio.com.
For more options, visit https://groups.google.com/d/optout.