-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Add strong parameters to the PasswordsController #5747
Comments
@hakeem0114 I don't agree. The code you reference is devise/app/controllers/devise_controller.rb Lines 221 to 223 in fec67f9
but params.fetch (see https://api.rubyonrails.org/classes/ActionController/Parameters.html#method-i-fetch) still returns a ActionController::Parameters instance (unless the resource name is not present in the params, but in this case it will return an empty hash) so it is still subject to ActionController::Parameters prevention of mass-assignment (like |
@timdiggins Thanks for the comment! |
@hakeem0114 Ah - ok, if it's a feature request, what benefit does it bring? (the problem statement still implies to me that it's a security issue) FYI After more looking, I think that in fact the security in devise (from not mass assigning) doesn't really come from strong parameters but from a very similar (but unconnected) route -- see |
Problem
The
Devise::PasswordsController
uses unsanitized resource_params during password reset, which could lead to security issues.Proposal
:reset_password
action to the DEFAULT_PERMITTED_ATTRIBUTESDevise::PasswordsController
.This will ensure the parameters used in the
Devise::PasswordsController
are sanitized, maintaining consistency with other controllers like RegistrationController and SessionController.The text was updated successfully, but these errors were encountered: