Skip to content
  • Martin Emde's avatar
    1a57c152
    Handle path_params gracefully when a user sends ?path_params=string · 1a57c152
    Martin Emde authored 
    In some cases, params are passed into url_for, causing path_params
to be sent unintentionally. It is possible to both send a string,
causing a 500 error, or send a hash: ?path_params[inject]=string.

I spent some time before posting this reviewing whether it was
possible to exploit the fact that path_params can be sent in query
params, but I don't believe there to be a vulnerability. Although
it is probably good practice to scrub this key when sending
params to url_for just to be sure.
    1a57c152
    Handle path_params gracefully when a user sends ?path_params=string
    Martin Emde authored 
    In some cases, params are passed into url_for, causing path_params
to be sent unintentionally. It is possible to both send a string,
causing a 500 error, or send a hash: ?path_params[inject]=string.

I spent some time before posting this reviewing whether it was
possible to exploit the fact that path_params can be sent in query
params, but I don't believe there to be a vulnerability. Although
it is probably good practice to scrub this key when sending
params to url_for just to be sure.