Cop idea: Disallow `params.require.permit` and `params.require` in favor of `params.expect` for rails 8.0 #1358

Earlopain · 2024-09-08T10:25:41Z

Is your feature request related to a problem? Please describe.

Rails added params.expect in rails/rails#51674. There are some problems with require that are nicely explained in that PR (and linked issues) but it basically boils down to this:

params.require(:user).permit(:name) raises if params looks like user=123 (not the expected shape). The newly added expect avoids this problem by making the shape part of the contract.

Describe the solution you'd like

Method docs: https://edgeapi.rubyonrails.org/classes/ActionController/Parameters.html#method-i-expect

params.require(:user).permit(:name)
# => 
params.expect(user: %i[name])

params.require(:user).permit(*permitted_params, some_ids: [])
# => 
params.permit(user: [*permitted_params, [:some_ids]])

params.permit(:name)
# =>
params.expect(:name)

These two method calls will likely be close together, so I believe it would be best for the cop to simply catch these simple cases first.

Additional context

If plain params.require is added as an offense, it must be unsafe. Consider the following case:

# Allows an array/hash
User.find(params.require(:id))
# This does not
User.find(params.expect([:id]))
# If arrays are expected:
User.find(params.expect([[:id]])
# expect can't allow both an array and plain type

There is no replacement for the following (yet?):

params.fetch(:optional, {}).permit(:some_arg)

The text was updated successfully, but these errors were encountered:

koic · 2025-01-15T03:13:58Z

The following description appears to have a mistake.

params.require(:user).permit(*permitted_params, some_ids: [])
# => 
params.permit(user: [*permitted_params, [:some_ids]])

Here is an example of the parameters in Rails 8.0.1:

params = ActionController::Parameters.new(user: { name: 'Martin', foo: 'abc', bar: 'xyz', some_ids: [42, 43] })
permitted_params = %i[foo bar]

some_ids is missing when [:some_ids]:

params.expect(user: [*permitted_params, [:some_ids]])
=> #<ActionController::Parameters {"foo"=>"abc", "bar"=>"xyz"} permitted: true>

The same as with require(:user).permit..., some_ids should be present when some_ids: []:

params.expect(user: [*permitted_params, some_ids: []])
=> #<ActionController::Parameters {"foo"=>"abc", "bar"=>"xyz", "some_ids"=>[42, 43]} permitted: true>
params.require(:user).permit(*permitted_params, some_ids: [])
=> #<ActionController::Parameters {"foo"=>"abc", "bar"=>"xyz", "some_ids"=>[42, 43]} permitted: true>

Therefore, the bad / good example in this case would be as follows:

# bad
params.require(:user).permit(*permitted_params, some_ids: [])

# good
params.expect(user: [*permitted_params, some_ids: []])

## Summary This PR adds new `Rails/ActionControllerParametersExpect` cop that enforces the use of `ActionController::Parameters#expect` as a method for strong parameter handling. As a starting point for this Cop, the implementation in this PR will detect the following cases. ```ruby # bad params.require(:user).permit(:name, :age) params.permit(user: [:name, :age]).require(:user) # good params.expect(user: [:name, :age]) ``` ## Safety This cop's autocorrection is considered unsafe because there are cases where the HTTP status may change from 500 to 400 when handling invalid parameters. This change, however, reflects an intentional incompatibility introduced for valid reasons by the `expect` method, which aligns better with strong parameter conventions. ## Additional Information This cop does not detect the following cases for the reasons outlined below. Consideration will be given to whether these should be provided as separate options. ## `params.permit` Incompatibilities occur with the returned object. ```ruby params = ActionController::Parameters.new(id: 42) # => #<ActionController::Parameters {"id"=>42} permitted: false> params.permit(:id) # => #<ActionController::Parameters {"id"=>42} permitted: true> params.expect(:id) # => 42 ``` ## `params.require` It cannot be determined whether `expect(:ids)` or `expect(ids: [])` should be used for the parameter. `ids` is `42`: ```ruby params = ActionController::Parameters.new(ids: 42) # => #<ActionController::Parameters {"ids"=>42} permitted: false> params.require(:ids) # => 42 params.expect(:ids) # => 42 params.expect(ids: []) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` `ids` is `[42, 43]`: ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params.require(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) params.expect(ids: []) # => [42, 43] ``` ## `params[]` and `params.fetch` Incompatibilities occur when the value is an array. ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params[:ids] # => [42, 43] params.fetch(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` These may be designed and provided separately in the future. Closes rubocop#1358.

## Summary This PR adds new `Rails/ActionControllerParametersExpect` cop that enforces the use of `ActionController::Parameters#expect` as a method for strong parameter handling. As a starting point for this Cop, the implementation in this PR will detect the following cases. ```ruby # bad params.require(:user).permit(:name, :age) params.permit(user: [:name, :age]).require(:user) # good params.expect(user: [:name, :age]) ``` ## Safety This cop's autocorrection is considered unsafe because there are cases where the HTTP status may change from 500 to 400 when handling invalid parameters. This change, however, reflects an intentional incompatibility introduced for valid reasons by the `expect` method, which aligns better with strong parameter conventions. ## Additional Information This cop does not detect the following cases for the reasons outlined below. Consideration will be given to whether these should be provided as separate options. ### `params.permit` Incompatibilities occur with the returned object. ```ruby params = ActionController::Parameters.new(id: 42) # => #<ActionController::Parameters {"id"=>42} permitted: false> params.permit(:id) # => #<ActionController::Parameters {"id"=>42} permitted: true> params.expect(:id) # => 42 ``` ### `params.require` It cannot be determined whether `expect(:ids)` or `expect(ids: [])` should be used for the parameter. `ids` is `42`: ```ruby params = ActionController::Parameters.new(ids: 42) # => #<ActionController::Parameters {"ids"=>42} permitted: false> params.require(:ids) # => 42 params.expect(:ids) # => 42 params.expect(ids: []) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` `ids` is `[42, 43]`: ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params.require(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) params.expect(ids: []) # => [42, 43] ``` ### `params[]` and `params.fetch` Incompatibilities occur when the value is an array. ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params[:ids] # => [42, 43] params.fetch(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` These may be designed and provided separately in the future. Closes rubocop#1358.

## Summary This PR adds new `Rails/StrongParametersExpect` cop that enforces the use of `ActionController::Parameters#expect` as a method for strong parameter handling. As a starting point for this Cop, the implementation in this PR will detect the following cases. ```ruby # bad params.require(:user).permit(:name, :age) params.permit(user: [:name, :age]).require(:user) # good params.expect(user: [:name, :age]) ``` ## Safety This cop's autocorrection is considered unsafe because there are cases where the HTTP status may change from 500 to 400 when handling invalid parameters. This change, however, reflects an intentional incompatibility introduced for valid reasons by the `expect` method, which aligns better with strong parameter conventions. ## Additional Information This cop does not detect the following cases for the reasons outlined below. Consideration will be given to whether these should be provided as separate options. ### `params.permit` Incompatibilities occur with the returned object. ```ruby params = ActionController::Parameters.new(id: 42) # => #<ActionController::Parameters {"id"=>42} permitted: false> params.permit(:id) # => #<ActionController::Parameters {"id"=>42} permitted: true> params.expect(:id) # => 42 ``` ### `params.require` It cannot be determined whether `expect(:ids)` or `expect(ids: [])` should be used for the parameter. `ids` is `42`: ```ruby params = ActionController::Parameters.new(ids: 42) # => #<ActionController::Parameters {"ids"=>42} permitted: false> params.require(:ids) # => 42 params.expect(:ids) # => 42 params.expect(ids: []) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` `ids` is `[42, 43]`: ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params.require(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) params.expect(ids: []) # => [42, 43] ``` ### `params[]` and `params.fetch` Incompatibilities occur when the value is an array. ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params[:ids] # => [42, 43] params.fetch(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` These may be designed and provided separately in the future. Closes rubocop#1358.

## Summary This PR adds new `Rails/StrongParametersExpect` cop that enforces the use of `ActionController::Parameters#expect` as a method for strong parameter handling. As a starting point for this cop, the implementation in this PR will detect the following cases. ```ruby # bad params.require(:user).permit(:name, :age) params.permit(user: [:name, :age]).require(:user) # good params.expect(user: [:name, :age]) ``` ## Safety This cop's autocorrection is considered unsafe because there are cases where the HTTP status may change from 500 to 400 when handling invalid parameters. This change, however, reflects an intentional incompatibility introduced for valid reasons by the `expect` method, which aligns better with strong parameter conventions. ## Additional Information This cop does not detect the following cases for the reasons outlined below. Consideration will be given to whether these should be provided as separate options. ### `params.permit` Incompatibilities occur with the returned object. ```ruby params = ActionController::Parameters.new(id: 42) # => #<ActionController::Parameters {"id"=>42} permitted: false> params.permit(:id) # => #<ActionController::Parameters {"id"=>42} permitted: true> params.expect(:id) # => 42 ``` ### `params.require` It cannot be determined whether `expect(:ids)` or `expect(ids: [])` should be used for the parameter. `ids` is `42`: ```ruby params = ActionController::Parameters.new(ids: 42) # => #<ActionController::Parameters {"ids"=>42} permitted: false> params.require(:ids) # => 42 params.expect(:ids) # => 42 params.expect(ids: []) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` `ids` is `[42, 43]`: ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params.require(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) params.expect(ids: []) # => [42, 43] ``` ### `params[]` and `params.fetch` Incompatibilities occur when the value is an array. ```ruby params = ActionController::Parameters.new(ids: [42, 43]) # => #<ActionController::Parameters {"ids"=>[42, 43]} permitted: false> params[:ids] # => [42, 43] params.fetch(:ids) # => [42, 43] params.expect(:ids) # => param is missing or the value is empty or invalid: ids (ActionController::ParameterMissing) ``` These may be designed and provided separately in the future. Closes rubocop#1358.

koic added the feature request Request for new functionality label Nov 20, 2024

koic mentioned this issue Jan 17, 2025

Add new Rails/StrongParametersExpect cop #1412

Merged

9 tasks

koic closed this as completed in #1412 Jan 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cop idea: Disallow `params.require.permit` and `params.require` in favor of `params.expect` for rails 8.0 #1358

Cop idea: Disallow `params.require.permit` and `params.require` in favor of `params.expect` for rails 8.0 #1358

Earlopain commented Sep 8, 2024

koic commented Jan 15, 2025 •

edited

Loading

Cop idea: Disallow params.require.permit and params.require in favor of params.expect for rails 8.0 #1358

Cop idea: Disallow params.require.permit and params.require in favor of params.expect for rails 8.0 #1358

Comments

Earlopain commented Sep 8, 2024

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Additional context

koic commented Jan 15, 2025 • edited Loading

Cop idea: Disallow `params.require.permit` and `params.require` in favor of `params.expect` for rails 8.0 #1358

Cop idea: Disallow `params.require.permit` and `params.require` in favor of `params.expect` for rails 8.0 #1358

koic commented Jan 15, 2025 •

edited

Loading