Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails 5.0.0.beta1 - Generating an URL from non sanitized request parameters is insecure

We are upgrading from Rails 4.2.5 to 5.0.0.beta1

When testing we expected to see index views rendered with paginated links as before. But we now get an ArgumentError error page, for example:

ArgumentError in Transactions#index 
/app/views/kaminari/_paginator.html.erb where line #10 raised:


<%= paginator.render do -%>

Generating an URL from non sanitized request parameters is insecure!

Application Trace | Framework Trace | Full Trace

app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060'
app/views/transactions/index.html.erb:2:in `_app_views_transactions_index_html_erb__422882858554400818_60602560'

An issue has been raised with kaminari

On further investigation here is the new Rails 5.0.0.beta1 code that now throws the error: actionpack/lib/action_dispatch/routing/url_for.rb

Adding this to config/application.rb 'fixes' it, but not a great idea:

config.action_controller.permit_all_parameters = true

Instead adding this does not fix the issue, not sure why:

config.action_controller.always_permitted_parameters =  [:current_page, :page, :total_pages, :per_page, :remote, :paginator]
like image 369
KeithP Avatar asked Dec 22 '15 10:12

KeithP


1 Answers

This appears to be fixed in the github master branch, so for now in your gem file specify:

gem 'kaminari', :git => "git://github.com/amatsuda/kaminari.git", :branch => 'master'
like image 130
KeithP Avatar answered Oct 13 '22 18:10

KeithP