I already read some posts, such as Match the whitelist using strong options in Rails 4 , but this is not quite what I need.
I have a controller that takes an identifier and loads a model. It also optionally receives a query string parameter ( style) which may be one of three values of, small, mediumor large. This is passed to the model method, which uses it to retrieve the attached image (using paperclip). I noticed that if I pass an invalid parameter (for example style=wibble), I get a 400 error and a notification that the internal file path does not exist. Brakeman also notes this as a security issue ...
def show
style = params[:style] || :medium
thing = Model.find(params[:id])
path = "#{Rails.root}/public#{thing.image_url(style)}"
content_type = thing.image.content_type || 'image/png'
send_file path, type: content_type, disposition: 'inline'
end
We use ActionController Parameters elsewhere for a great effect; but I don’t see how it can be a “white list” of parameter parameters? Everywhere I saw it is said that it uses a model validator, but on the condition that I present a parameter for updating a model that I am not.
I know I can do something like:
return head :not_found unless %w(small medium large).include? style
Is this the best way?
source
share