-
-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Block public access to some expensive parameters (#1084)
Some query parameters cause expensive queries, so they are now disallowed for public, non-logged-in usage. If you try to use them without being logged in, you’ll get a 403 response with a message about what parameters for that controller require logging in. If we need to extend this to other places, we can use the new `BlockedParamsConcern` on a controller. Fixes #1070.
- Loading branch information
Showing
8 changed files
with
131 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# Block unauthenticated requests that use certain params with a 403 (Forbidden) | ||
# error. This can be used to prevent abuse of options that may cause expensive | ||
# operations. | ||
module BlockedParamsConcern | ||
extend ActiveSupport::Concern | ||
|
||
module ClassMethods | ||
attr_reader :blocked_public_params | ||
|
||
private | ||
|
||
# Raise an exception on any non-logged-in request that uses the specified | ||
# params. | ||
# | ||
# @param actions [:all, Array<Symbol>] Only block the params on these | ||
# actions. If `:all` or not set, blocking is applied to all actions. | ||
# @param params [Array<Symbol, String>] Param names to block. | ||
# | ||
# @example | ||
# class MyController | ||
# include BlockedParamsConcern | ||
# block_params_for_public_users actions: [:index, :show] | ||
# params: [:bad, :params, :here] | ||
# end | ||
def block_params_for_public_users(actions: nil, params:) | ||
actions = nil if actions == :all | ||
actions = [actions] unless actions.nil? || actions.is_a?(Array) | ||
actions = actions&.collect(&:to_s) | ||
|
||
@blocked_public_params ||= {} | ||
@blocked_public_params[actions] = params.collect(&:to_s) | ||
end | ||
end | ||
|
||
included do | ||
before_action :check_non_public_params! | ||
end | ||
|
||
protected | ||
|
||
def check_non_public_params! | ||
return unless self.class.blocked_public_params | ||
|
||
blocked = self.class.blocked_public_params.flat_map do |actions, params| | ||
actions.nil? || actions.include?(action_name) ? params : nil | ||
end | ||
|
||
raise_for_non_public_params!(blocked) | ||
end | ||
|
||
def raise_for_non_public_params!(blocked_params) | ||
if !current_user && blocked_params.intersect?(params.keys) | ||
names = blocked_params.collect {|p| "`#{p}`"}.join(', ') | ||
raise Api::ForbiddenError, "You must be logged in to use the params: #{names}" | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters