Login/Register
Rails 5.0.0.beta1 - Generating an URL from non sanitized request parameters is insecure
Asked Answered
Solved ruby-on-railsupgradekaminarisanitizeruby-on-rails-5
S

1

18

We are upgrading from Rails 4.2.5 to 5.0.0.beta1

When testing we expected to see index views rendered with paginated links as before. But we now get an ArgumentError error page, for example:

ArgumentError in Transactions#index 
/app/views/kaminari/_paginator.html.erb where line #10 raised:


<%= paginator.render do -%>

Generating an URL from non sanitized request parameters is insecure!

Application Trace | Framework Trace | Full Trace

app/views/kaminari/_paginator.html.erb:10:in block in _app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060' app/views/kaminari/_paginator.html.erb:9:in_app_views_kaminari__paginator_html_erb___4026289994022119719_69904100316060'
app/views/transactions/index.html.erb:2:in `_app_views_transactions_index_html_erb__422882858554400818_60602560'

An issue has been raised with kaminari

On further investigation here is the new Rails 5.0.0.beta1 code that now throws the error: actionpack/lib/action_dispatch/routing/url_for.rb

Adding this to config/application.rb 'fixes' it, but not a great idea:

config.action_controller.permit_all_parameters = true

Instead adding this does not fix the issue, not sure why:

config.action_controller.always_permitted_parameters =  [:current_page, :page, :total_pages, :per_page, :remote, :paginator]
Spacecraft answered 22/12, 2015 at 10:44 Comment(0)
S
25

This appears to be fixed in the github master branch, so for now in your gem file specify:

gem 'kaminari', :git => "git://github.com/amatsuda/kaminari.git", :branch => 'master'
Spacecraft answered 23/12, 2015 at 14:26 Comment(2)
This worked, thanks. A shorter version tho gem "kaminari", github: "amatsuda/kaminari".Delayedaction
Kaminari 0.17.0 was was released with this fix: github.com/amatsuda/kaminari/blob/master/CHANGELOG.rdoc#0170Catling

© 2022 - 2024 — McMap. All rights reserved.