Patch #25570
open
unchecked use of params[:query]
0%
Description
Requests to URLs like /issues?query=12 result in an application error because query.rb expects params[:query] to be a hash, which it isn't in this case.
I know that there are a more instances in the code base where we assume params[:foo] to be a hash without explicit type checking. This patch does not attempt to address this problem on a global level. For whatever reason it happens to us quite often in this particular place, causing false alerts in server monitoring.
This patch adds an explicit type check to resolve this params[:query] case. As a bonus it makes the following 4 lines where values are taken out of the hash a bit nicer.
In general I think it would be preferably to raise an error of the 4xx class in such cases. Are there any plans to make use of Rails' Strong Parameters feature in the future? I think using these permit / require calls on parameters in controllers would catch such wrong types early and would lead to responses with a more appropriate error code automatically.
Files
Updated by Jens Krämer about 7 years ago
wherever I wrote 'to be a hash', I mean 'accessible like a hash'. It's an ActionController::Paramaters instance that we want.
Updated by Jens Krämer about 6 years ago
As it turns out the patch causes problems when saving queries and thus I wouldn't recommend applying this.