iago-silva / service_it Goto Github PK

A potential issue I see is that you could lead yourself to param injection without the proper documentation.
In the README, it suggests using it as: Foo.call(params)
If for instance, somebody passed params directly from a "Rails" controller (I realize this doesn't suggest that we're using rails, but a lot of people using Ruby gems are), that would set all the ivars.

Now...
If somebody using this gem decides to memoize the stripping of tags with:

def body
  @stripped_body ||= strip_tags(@body)
end

The "attacker" would then be capable of "injecting" @stripping_body into the service controller using any parameter. If this was put into the database and "blindly" displayed to users, it would result in an XSS injection.

Now, I don't believe it's your gem's responsibility to necessarily fix this, but I do this this should be mentioned in the documentation, along with a second possible option:

If a object responds to permitted? and permitted? == false then throw an exception, which would make it do the same thing rails does and have a safe fallback without getting in the way of non-rails users.

I realize this is an edge case, but I could see code being used exactly that way.