rails form_for + address picker jquery creates odd parameter format for post

Derek_Chadwell · December 14, 2013, 3:36am

I am using the addresspicker jquery to get a user address. The user address fields and hidden fields for latitude and longitude are in fields_for “:Locations”. In order for the jquery callback to fill in my latitude and longitude boxes I have to use the “:name=>” tag on the fields. When I do this, my form is posted with the latitude and longitude fields outside the :Locations structure. As a result, I can’t use “.permit()” on them and I’m worried that I’m leaving my program vulnerable.

the data structure sent to rails via the POST:

 "utf8"=>"✓",
"authenticity_token"=>"VIp6TnK7UoVEfELzwUhkbdySp/k4NhMtjdlRIWcgVaY=",
"user"=>{"first_name"=>"firstname",
"last_name"=>"lastname",
"email_address"=>"first@last.com",
"password"=>"[FILTERED]",
"password_confirmation"=>"[FILTERED]"},
"Locations"=>{"location"=>"Bugs bunnies Rabbit hole, Albequerque, NM, United States"},
"lat"=>"39.988052",
"lng"=>"-28.817452",
"commit"=>"Creating a user"}

The forms and corresponding javascript:

41

42 <%= form_for @user do |f| %>

43 Create Your Account

44 <%= f.label :first_name %>

45 <%= f.text_field :first_name, :placeholder => “First Name” %>

46

47 <%= f.label :last_name %>

48 <%= f.text_field :last_name, :placeholder => “Last Name”%>

49

50 <%= f.label :email_address %>

51 <%= f.text_field :email_address, :placeholder => “you@location.domain” %>

52

53 <%= f.label :password %>

54 <%= f.password_field :password, :placeholder => “Minimum six characters” %>

55

56 <%= f.label :password_confirmation, “Confirm Password” %>

57 <%= f.password_field :password_confirmation %>

58

59

60 Where you would like to find volunteer opportunities

61

62 <%= fields_for :Locations do |l| %>

63 <%= l.text_field :location, :placeholder => “e.g. 27370 or Archdale, NC”, :id => “geocomplete”, :class => “ui-autocomplete-input”, :autocomplete=>“off”%>

64

65 <%= l.text_field :latitude, :name => “lat” %>

66 <%= l.text_field :longitude, :name => “lng” %>

67 <% end %>

68

69 <%= f.submit “Let’s do it!”, :class => “btn btn-large btn-success” %>

70 <% end %>

71

72

73

74

75

76

77

78

79

my controller as it stands now:

1 class UsersController < ApplicationController

2

3 def create

4 @user = User.new(params[:user].permit(:first_name, :last_name, :password,

5 :password_confirmation, :email_address))

6 @user.confirmation = _random_string()

7 @location = @user.Locations.build(params[:Locations].permit(:location))

8 @location.coordinates = [params[:lng],params[:lat]]

9 @location.distance = 50

10

11 if not @user.save

12 flash[:notice] = “user not saved”

13 render “/static_pages/homepage”

14 return

15 end

The javascript is awfully long so I won’t post it here, but it can be viewed at GitHub - ubilabs/geocomplete: jQuery Geocoding and Places Autocomplete Plugin . I think all you would need to know about it is that it defines attributes for a found google address and then fills in fields on a page whose names match the attribute names in the jquery. Of those, I am only interested in “lat” and “lng” for now.

My question is around the right way to do this. Should I do something to force the “lat” and “lng” variables into the Locations hash so I can .permit() those keys and keep my program safe? Should I not worry about it and soldier on? Is there something inherently wrong with my use of the name symbols with the fields_for functionality? A consult is very welcome.

Bala_Paranj1 · December 14, 2013, 11:41pm

I don’t think you should be worried about lat and long being outside of the locations. What is the worst thing that can happen? You have to make a judgement based on the application requirements.

Frederick_Cheung · December 15, 2013, 11:06am

First off it looks like the plugin will, instead of looking at the name attribute look at the attribute of your choice if you ask it to. The example in the docs reads

<div class="details">
  Latitude: <span data-geo="lat" />
  Longitude: <span data-geo="lng" />
  Address: <span data-geo="formatted_address" />
  Country Code: <span data-geo="country_short" />
</div>

$("input").geocomplete({
  details: ".details",
  detailsAttribute: "data-geo"
});

Which seems to suggest that it would then use the data-geo attribute to locate the fields.

As far as security goes, you should be ok as it is. The reason things like strong parameters (and previously attr_accessible) is that we’re trying to have all of the convenience of SomeClass.create(params[:some_class]) but with the safety that comes from explicitly saying what should be assigned (so that people can’t add extra params to the hash and have us blindly assign them) eg

object = SomeClass.new

object.foo = params[:foo]

object.bar = params[:bar]

which is tedious. There isn’t anything wrong from a security point of view with the tedious way: no one can add extra parameters and have you unwittingly used them.

The only extra thing strong_parameters does is reject parameters of unexpected types. There have been in the past vulnerabilities due to arrays, nils, hashes etc. being passed when the programmer expected strings or numbers (although if my memory is correct that was to do with those values being passed to where().

To replicate that protection, all you would have to do is

@location.coordinates = [params[:lng].to_f,params[:lat].to_f]

Fred