Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [yaml](https://github.com/eemeli/yaml). Updates `yaml` from 2.3.4 to 2.8.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.3.4...v2.8.3) --- updated-dependencies: - dependency-name: yaml dependency-version: 2.8.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Implemented a before_action to strip null bytes from request parameters, enhancing security and data integrity. Introduced methods to recursively sanitize strings, arrays, hashes, and ActionController::Parameters, ensuring all incoming data is clean before processing.
Implemented tests to ensure that user registration handles null bytes in parameters correctly. The specs verify that null bytes are sanitized without raising errors and that the user is successfully created, both for flat and nested payloads. This enhances the robustness of user input handling in the registration process.
…arn-8ffe74b2ea Bump yaml from 2.3.4 to 2.8.3 in the npm_and_yarn group across 1 directory
Bumps the npm_and_yarn group with 2 updates in the / directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [picomatch](https://github.com/micromatch/picomatch). Updates `brace-expansion` from 1.1.12 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…arn-f9a7637a8a Bump the npm_and_yarn group across 1 directory with 2 updates
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a global Rails request-parameter sanitization hook to remove null bytes (\u0000) from incoming params, and updates a few Yarn-locked dependencies. New request specs cover sign-up and sign-in flows when null bytes are present in submitted parameters.
Changes:
- Add an
ApplicationControllerbefore_actionthat recursively strips null bytes from request parameters. - Add request specs for Devise user registration and session creation with null-byte-containing params (including nested structures).
- Update
yarn.lockentries forbrace-expansion,picomatch, andyaml.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
app/controllers/application_controller.rb |
Adds recursive null-byte stripping for incoming parameters via a before_action. |
spec/requests/user_registrations_spec.rb |
Adds registration request specs exercising null-byte sanitization behavior. |
spec/requests/user_sessions_spec.rb |
Adds login request specs exercising null-byte sanitization behavior. |
yarn.lock |
Bumps a few transitive JS dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Implemented a test to ensure that null bytes in passwords are sanitized during user authentication. The test verifies that no errors are raised and that the user is redirected appropriately after login. This enhances the security of user session handling by ensuring that null bytes do not disrupt the authentication process.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new mechanism to sanitize incoming request parameters by removing null bytes, preventing potential issues or security risks associated with null byte injection. The sanitization is applied recursively to all parameters, including nested structures. Comprehensive request specs are also added to verify this behavior for user registration and login flows.
Parameter sanitization improvements:
before_actioninApplicationControllerto recursively strip null bytes from all incoming parameters, including nested hashes and arrays. This ensures that no null bytes are present in any part of the request data.Testing and validation:
user_registrations_spec.rbto verify that null bytes are sanitized from both top-level and nested parameters, and that user creation still succeeds.user_sessions_spec.rbto confirm that login works as expected even when null bytes are present in parameters, including nested structures.