tainted_hash icon indicating copy to clipboard operation
tainted_hash copied to clipboard
verified publisher icon github

Support deeply nested structures with TaintedHash

Open ptoomey3 opened this issue 8 years ago • 3 comments

Before this change, any deeply nested strcuture would result in a regular Hash being returned, potentially leaving an application open to mass assignment issues.

    hash = {'a' => 1, 'b' => [{'c' => [{'d' => 2, 'e' => 3}]}]}
    tainted = TaintedHash.new hash
    class_type = tainted[:b][0][:c][0].class

In the above, class_type would be Hash instead of TaintedHash. So, we now support deep tainting/untainting to prevent this.

I'm not even 100% sure we should merge this, as I am always a bit hesitant to mess with a foundational class like this :smile:

ptoomey3 avatar Apr 27 '17 21:04 ptoomey3

@github/appsec - Any edge cases you think I should add tests for?

ptoomey3 avatar Apr 27 '17 21:04 ptoomey3

FYI @scottjg

ptoomey3 avatar Apr 27 '17 21:04 ptoomey3

@technoweenie - I had to temporarily comment out some of the code in here that calls symbolize_keys while testing, since the default rake task doesn't suck in any rails stuff to monkey patch the default Hash. Does that ring a bell (asking a lot I know..given the sporadic updates to this project)?

ptoomey3 avatar Apr 27 '17 21:04 ptoomey3