ArgumentError at Localhost

8 views
Skip to first unread message

Stephanie_Snowflake

unread,
Jul 3, 2018, 9:02:08 AM7/3/18
to Ruby on Rails: Talk
Trying to update an existing app from Rails 4.2 to 5.2 (currently in Rails 5.0)

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.


issue inside index.html.erb

      <%= link_to_export("Films", params) %>

Anyone know of a solution to fix this. 

#application_helper.rb
    def link_to_export(text, params)
        if current_user.admin?
          link_to url_for(params.merge(format: "csv")), class: "btn btn-default" do
        content_tag(:i, nil, class: "fa fa-download") + " " + text
          end
        end
  end.   


Walter Lee Davis

unread,
Jul 3, 2018, 9:23:01 AM7/3/18
to rubyonra...@googlegroups.com
Sure. You'll need to either shim the call to raw params with something like params.to_insecure_h, or actually fix the problem by selecting the specific params you mean with a strong parameters accessor method, something like

def nav_params
params.permit(:controller, :action, :id)
end

and then refer to nav_params.merge... in your method instead of blindly taking all comers. Obviously you'd need to expand that list of allowed parameter to include any other params your actual URLs rely on (query strings, etc.). The nouns you express in that list should come from your routes file.

Walter
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/20ea35b5-feb2-45ca-8428-6d9a8c58b4fa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Stephanie_Snowflake

unread,
Jul 3, 2018, 9:45:34 AM7/3/18
to Ruby on Rails: Talk
#film.rb
  def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Width Length Area Shelf SO Phase)
      all.join_dimensions.each do |f|
        csv << [f.serial, f.formula, f.width, f.length, f.area, f.shelf, f.sales_order_code, f.phase]
      end
    end
  end


#film_movement.rb
  def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Width Length Order User DateTime)
      all.each do |m|
        csv << [m.serial, m.formula, m.width, m.length, m.sales_order_code, m.created_at]
      end
    end
  end
end

line_item.rb
def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(SO# Type Custom-W Custom-L Pieces Wires Busbars Note)
      all.each do |o|
        csv << [o.sales_order_code, o.product_type, o.custom_width, o.custom_length, o.quantity, o.wire_length, o.busbar_type, o.note]
      end
    end
  end

#master_films.rb
 def self.to_csv(options = {})
    types = defect_types
    CSV.generate(options) do |csv|
      csv << %w(Serial Formula Mix/g Machine ITO Thinky b* Chemist Operator Inspector EffW EffL) + types
      all.each do |mf|
        csv << [mf.serial, mf.formula, mf.mix_mass, mf.machine_code, mf.film_code_top, mf.thinky_code, mf.b_value, mf.chemist, mf.operator, mf.inspector, mf.effective_width, mf.effective_length, mf.yield] + types.map{ |type| mf.defect_count(type) }
      end
    end
  end

#sales_order.rb
 def self.to_csv(options = {})
    CSV.generate(options) do |csv|
      csv << %w(SO# Customer Released Due Ship-to Status Shipped Note)
      all.each do |o|
        csv << [o.code, o.customer, o.release_date, o.due_date, o.ship_to, o.status, o.ship_date, o.note]
      end
    end
  end

Is there documentation for this fav_params? 

Walter Lee Davis

unread,
Jul 3, 2018, 6:55:33 PM7/3/18
to rubyonra...@googlegroups.com
I'm not sure what your question refers to. There's no other instance of fav_params in the code you've quoted here. These are all models, not controllers, and models don't have access to the params. Read the Rails Guide about Strong Parameters. Start here: http://guides.rubyonrails.org and pick the version of Rails you are currently stuck in. You have to define the rules of the road for your application. Rails 2.3 used to do this with a macro in the model called attr_accessible. This changed to strong parameters (in the controller) in Rails 4.

Walter

>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/3af261b8-d08c-4fba-8da3-96c6c4c70043%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages