ActionController::Parameters need to be symbolized when working with keyword arguments

[Philipp Preß]

Hi,

you have a hard time working with ActionController::Parameters if you want to pass the parameter hash to a method that uses keyword arguments:

params = ActionController::Parameters.new(foo: :bar)

#=> {"foo"=>:bar}

def something(foo:)

end

#=> :something

something(params)

#=> ArgumentError: wrong number of arguments (1 for 0)

Reason for this is that HashWithIndefferentAccess defaults to strings for it's keys, but Ruby requires the keys of a hash to be symbols if you want to pass it to the method as a parameter.

symbolized_params = params.symbolize_keys

#=> {:foo=>:bar}

something(symbolized_keys)

#=> nil

I wonder if it's possible to change the behavior so that it's not longer necessary to explicitly symbolize the hash. Would you welcome a pull request that addresses this issue?

Looking forward to your feedback.

Best

Philipp

[Anthony Richardson]

In earlier versions of ruby this would present a denial of service attack as a malicious user could quickly consume all available symbol space by generating large amounts of random param keys in the url. If I recall correctly this was the case with earlier versions of Rails and resulted in a security service pack to fix. I think newer or latest ruby no longer suffers from this limitation with symbols. You would want to verify that the minimum supported version of ruby indeed has this symbol memory/limitation issue resolved before make a change like you suggest.

Maybe this should be a feature strong parameters so that keys not explicitly allowed are stripped preventing such an attack.

Cheers

Anthony

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.