Support parameter filtering based on allow lists

ActiveSupport::ParameterFilter currently works as a deny list: you specify the parameters that should be filtered. For example, to filter password parameters you could do:

Rails.application.config.filter_parameters += [:password]

Some applications have stricter requirements and an allow list filter would be prefered. This is possible with a lambda. For example, only allowing "id"s:

Rails.application.config.filter_parameters += [
  lambda { |key, value|
    # filter all parameters that aren't :id
    value.replace('[FILTERED]') unless key.in?(:id)
  }
]

But this can be error prone. For example this doesn’t work if a value is nil. This is caused because nil.to_s returns a frozen string since Ruby 2.7 and replace isn’t allowed on frozen strings.

In 2022 I’ve created a PR to support allow list filtering. For example, to only allow primary keys and foreign keys you could configure the following:

Rails.application.config.allow_parameters = [:id, /_id\z/]

I’m wondering if I’m the only one running into this issue. Are there other solutions I’m missing?

It’s a bit a paranoia mode.

I can imagine financial or governmental entities that would go that extreme into filtering. Maybe the use case is too small for the framework to carry.

Maybe a gem would be a better fit for that feature. If there’s enough traction in the gem, it would be easier to integrate into Rails in the future.

1 Like