[Rails] Please use symbols for polymorphic route arguments
This error occurred today with our platform. Issue is at https://github.com/rails/rails/issues/42157
The issue occurs because of a new security patch with with Rails tracked with CVE-2021-22885.
You can no longer call polymorphic_path or other dynamic path helpers with strings, because if this strings are provided by the user this could result in unwanted router helper calls.
# previous call
polymorphic_path([article, "authors"])
# should now be
polymorphic_path([article, "authors".to_sym])
# or better
polymorphic_path([article, :authors])
Migration effort
A perspective on how serious it is to upgrade – tl;dr – it is not – about half an hour.
All the calls in our platform for polymorphic_path
$ git grep "polymorphic_path" | wc -l 321
All the file that have calls to polymorphic_path
$ git grep -l "polymorphic_path" | wc -l 143
Numbers of files that I’ve changed – 13
Time it took me to review all of them -16 minutes, from 18:24 to 18:40
Now I am waiting for specs to pass.
I guess it is not a big change and could be migrate in half an hour. Most of our calls were using symbols already and only about 15 calls from 321 were with strings. These are 4% of all the calls.
Reply
You must be logged in to post a comment.