iago-silva / service_it Goto Github PK
View Code? Open in Web Editor NEW[Service Objects] Simple gem to keep your controllers and models slim and readable
License: MIT License
[Service Objects] Simple gem to keep your controllers and models slim and readable
License: MIT License
A potential issue I see is that you could lead yourself to param injection without the proper documentation.
In the README, it suggests using it as: Foo.call(params)
If for instance, somebody passed params directly from a "Rails" controller (I realize this doesn't suggest that we're using rails, but a lot of people using Ruby gems are), that would set all the ivars.
Now...
If somebody using this gem decides to memoize the stripping of tags with:
def body
@stripped_body ||= strip_tags(@body)
end
The "attacker" would then be capable of "injecting" @stripping_body into the service controller using any parameter. If this was put into the database and "blindly" displayed to users, it would result in an XSS injection.
Now, I don't believe it's your gem's responsibility to necessarily fix this, but I do this this should be mentioned in the documentation, along with a second possible option:
If a object responds to permitted?
and permitted? == false
then throw an exception, which would make it do the same thing rails does and have a safe fallback without getting in the way of non-rails users.
I realize this is an edge case, but I could see code being used exactly that way.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.