Rails - Dec 2013 - rails form_for + address picker jquery creates odd parameter format for post

I am using the addresspicker jquery to get a user address.  The user 
address fields and hidden fields for latitude and longitude are in 
fields_for ":Locations".  In order for the jquery callback to fill in
my
latitude and longitude boxes I have to use the ":name=>" tag on the
fields.
 When I do this, my form is posted with the latitude and longitude fields 
outside the :Locations structure.  As a result, I can''t use
".permit()" on
them and I''m worried that I''m leaving my program vulnerable.

the data structure sent to rails via the POST:

"utf8"=>"✓",
 "authenticity_token"=>"VIp6TnK7UoVEfELzwUhkbdySp/k4NhMtjdlRIWcgVaY=",
 "user"=>{"first_name"=>"firstname",
 "last_name"=>"lastname",
 "email_address"=>"first-6Vq5lzdrSxo@public.gmane.org",
 "password"=>"[FILTERED]",
 "password_confirmation"=>"[FILTERED]"},
 "Locations"=>{"location"=>"Bugs bunnies Rabbit
hole, Albequerque, NM, United States"},
 "lat"=>"39.988052",
 "lng"=>"-28.817452",
 "commit"=>"Creating a user"}




The forms and corresponding javascript:

41     <div class="span5">
 42       <%= form_for @user do |f| %>
 43         <legend>Create Your Account</legend>
 44         <%= f.label :first_name %>
 45         <%= f.text_field :first_name, :placeholder => "First
Name" %>
 46
 47         <%= f.label :last_name %>
 48         <%= f.text_field :last_name, :placeholder => "Last
Name"%>
 49
 50         <%= f.label :email_address %>
 51         <%= f.text_field :email_address, :placeholder => 
"you-0tkTgdqk2en9bp6bbG3JOw@public.gmane.org" %>
 52
 53         <%= f.label :password %>
 54         <%= f.password_field :password, :placeholder => "Minimum
six
characters" %>
 55
 56         <%= f.label :password_confirmation, "Confirm Password"
%>
 57         <%= f.password_field :password_confirmation %>
 58
 59         <label>
 60           Where you would like to find volunteer opportunities
 61         </label>
 62         <%= fields_for :Locations do |l| %>
 63           <%= l.text_field :location, :placeholder => "e.g. 27370
or
Archdale, NC", :id => "geocomplete", :class =>
"ui-autocomplete-input",
:autocomplete=>"off"%>
 64
 65           <%= l.text_field :latitude,  :name => "lat" %>
 66           <%= l.text_field :longitude, :name => "lng" %>
 67         <% end %>
 68         <br>
 69         <%= f.submit "Let''s do it!", :class =>
"btn btn-large
btn-success" %>
 70       <% end %>
 71
 72     </div>
 73     </div>
 74   </div>
 75
 76   <script 
src="http://maps.googleapis.com/maps/api/js?sensor=false&amp;libraries=places"></script>
 77   <script 
src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
 78   <script
src="/assets/jquery.geocomplete.js?body=1"></script>
 79     <script>
 80       $(function(){
 81         $("#geocomplete").geocomplete({
 82           details: "form",
 83           types: ["geocode", "establishment"]
 84         });
 85
 86       });
 87     </script>


my controller as it stands now:

  1 class UsersController < ApplicationController
  2
  3   def create
  4     @user = User.new(params[:user].permit(:first_name, :last_name, 
:password,
  5                                           :password_confirmation, 
:email_address))
  6     @user.confirmation = _random_string()
  7     @location = 
@user.Locations.build(params[:Locations].permit(:location))
  8     @location.coordinates = [params[:lng],params[:lat]]
  9     @location.distance = 50
 10
 11     if not @user.save
 12       flash[:notice] = "user not saved"
 13       render "/static_pages/homepage"
 14       return
 15     end

The javascript is awfully long so I won''t post it here, but it can be 
viewed at https://github.com/ubilabs/geocomplete/ .  I think all you would 
need to know about it is that it defines attributes for a found google 
address and then fills in fields on a page whose names match the attribute 
names in the jquery.  Of those, I am only interested in "lat" and
"lng" for
now.

My question is around the right way to do this.  Should I do something to 
force the "lat" and "lng" variables into the Locations hash
so I can
.permit() those keys and keep my program safe?  Should I not worry about it 
and soldier on?  Is there something inherently wrong with my use of the 
name symbols with the fields_for functionality?  A consult is very welcome.




-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/c548aa3e-c7b1-4c32-b718-f342f7cb56a3%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

I don''t think you should be worried about lat and long being outside of
the
locations. What is the worst thing that can happen? You have to make a 
judgement based on the application requirements.

On Friday, December 13, 2013 7:36:27 PM UTC-8, Derek Chadwell
wrote:
>
> I am using the addresspicker jquery to get a user address.  The user 
> address fields and hidden fields for latitude and longitude are in 
> fields_for ":Locations".  In order for the jquery callback to
fill in my
> latitude and longitude boxes I have to use the ":name=>" tag
on the fields.
>  When I do this, my form is posted with the latitude and longitude fields 
> outside the :Locations structure.  As a result, I can''t use
".permit()" on
> them and I''m worried that I''m leaving my program
vulnerable.
>
> the data structure sent to rails via the POST:
>
> "utf8"=>"✓",
> 
"authenticity_token"=>"VIp6TnK7UoVEfELzwUhkbdySp/k4NhMtjdlRIWcgVaY=",
>  "user"=>{"first_name"=>"firstname",
>  "last_name"=>"lastname",
>  "email_address"=>"fi...-6Vq5lzdrSxo@public.gmane.org
<javascript:>",
>  "password"=>"[FILTERED]",
>  "password_confirmation"=>"[FILTERED]"},
>  "Locations"=>{"location"=>"Bugs bunnies
Rabbit hole, Albequerque, NM, United States"},
>  "lat"=>"39.988052",
>  "lng"=>"-28.817452",
>  "commit"=>"Creating a user"}
>
>
>
>
> The forms and corresponding javascript:
>
> 41     <div class="span5">
>  42       <%= form_for @user do |f| %>
>  43         <legend>Create Your Account</legend>
>  44         <%= f.label :first_name %>
>  45         <%= f.text_field :first_name, :placeholder => "First
Name" %>
>  46
>  47         <%= f.label :last_name %>
>  48         <%= f.text_field :last_name, :placeholder => "Last
Name"%>
>  49
>  50         <%= f.label :email_address %>
>  51         <%= f.text_field :email_address, :placeholder => 
> "you-0tkTgdqk2en9bp6bbG3JOw@public.gmane.org" %>
>  52
>  53         <%= f.label :password %>
>  54         <%= f.password_field :password, :placeholder =>
"Minimum six
> characters" %>
>  55
>  56         <%= f.label :password_confirmation, "Confirm
Password" %>
>  57         <%= f.password_field :password_confirmation %>
>  58
>  59         <label>
>  60           Where you would like to find volunteer opportunities
>  61         </label>
>  62         <%= fields_for :Locations do |l| %>
>  63           <%= l.text_field :location, :placeholder => "e.g.
27370 or
> Archdale, NC", :id => "geocomplete", :class =>
"ui-autocomplete-input",
> :autocomplete=>"off"%>
>  64
>  65           <%= l.text_field :latitude,  :name => "lat"
%>
>  66           <%= l.text_field :longitude, :name => "lng"
%>
>  67         <% end %>
>  68         <br>
>  69         <%= f.submit "Let''s do it!", :class =>
"btn btn-large
> btn-success" %>
>  70       <% end %>
>  71
>  72     </div>
>  73     </div>
>  74   </div>
>  75
>  76   <script src="
>
http://maps.googleapis.com/maps/api/js?sensor=false&amp;libraries=places<http://maps.googleapis.com/maps/api/js?sensor=false&libraries=places>
> "></script>
>  77   <script src="
>
http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
>  78   <script
src="/assets/jquery.geocomplete.js?body=1"></script>
>  79     <script>
>  80       $(function(){
>  81         $("#geocomplete").geocomplete({
>  82           details: "form",
>  83           types: ["geocode", "establishment"]
>  84         });
>  85
>  86       });
>  87     </script>
>
>
> my controller as it stands now:
>
>   1 class UsersController < ApplicationController
>   2
>   3   def create
>   4     @user = User.new(params[:user].permit(:first_name, :last_name, 
> :password,
>   5                                           :password_confirmation, 
> :email_address))
>   6     @user.confirmation = _random_string()
>   7     @location = 
> @user.Locations.build(params[:Locations].permit(:location))
>   8     @location.coordinates = [params[:lng],params[:lat]]
>   9     @location.distance = 50
>  10
>  11     if not @user.save
>  12       flash[:notice] = "user not saved"
>  13       render "/static_pages/homepage"
>  14       return
>  15     end
>
> The javascript is awfully long so I won''t post it here, but it can
be
> viewed at https://github.com/ubilabs/geocomplete/ .  I think all you 
> would need to know about it is that it defines attributes for a found 
> google address and then fills in fields on a page whose names match the 
> attribute names in the jquery.  Of those, I am only interested in
"lat" and
> "lng" for now.
>
> My question is around the right way to do this.  Should I do something to 
> force the "lat" and "lng" variables into the Locations
hash so I can
> .permit() those keys and keep my program safe?  Should I not worry about it
> and soldier on?  Is there something inherently wrong with my use of the 
> name symbols with the fields_for functionality?  A consult is very welcome.
>
>
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/f5ffd78b-3b3e-4cc9-8964-df7790e7097a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Saturday, December 14, 2013 3:36:27 AM UTC, Derek Chadwell
wrote:
>
> The javascript is awfully long so I won''t post it here, but it can
be
> viewed at
https://github.com/ubilabs/geocomplete/<https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fubilabs%2Fgeocomplete%2F&sa=D&sntz=1&usg=AFQjCNE-CV2SZPgLIzjWDtaM9jh_kNJ0Ng>.
I think all you would need to know about it is that it defines
> attributes for a found google address and then fills in fields on a page 
> whose names match the attribute names in the jquery.  Of those, I am only 
> interested in "lat" and "lng" for now.
>
> My question is around the right way to do this.  Should I do something to 
> force the "lat" and "lng" variables into the Locations
hash so I can
> .permit() those keys and keep my program safe?  Should I not worry about it
> and soldier on?  Is there something inherently wrong with my use of the 
> name symbols with the fields_for functionality?  A consult is very welcome.
>
>
First off it looks like the plugin will, instead of looking at the name 
attribute look at the attribute of your choice if you ask it to. The 
example in the docs reads

<div class="details">
  Latitude:     <span data-geo="lat" />
  Longitude:    <span data-geo="lng" />
  Address:      <span data-geo="formatted_address" />
  Country Code: <span data-geo="country_short" /></div>

$("input").geocomplete({
  details: ".details",
  detailsAttribute: "data-geo"});

Which seems to suggest that it would then use the data-geo attribute to 
locate the fields.

As far as security goes, you should be ok as it is. The reason things like 
strong parameters (and previously attr_accessible) is that we''re trying
to
have all of the convenience of SomeClass.create(params[:some_class]) but 
with the safety that comes from explicitly saying what should be assigned 
(so that people can''t add extra params to the hash and have us blindly 
assign them) eg

object = SomeClass.new
object.foo = params[:foo]
object.bar = params[:bar] 

which is tedious. There isn''t anything wrong from a security point of
view
with the tedious way: no one can add extra parameters and have you 
unwittingly used them.
The only extra thing strong_parameters does is reject parameters of 
unexpected types. There have been in the past vulnerabilities due to 
arrays, nils, hashes etc. being passed when the programmer expected strings 
or numbers (although if my memory is correct that was to do with those 
values being passed to where().
To replicate that protection, all you would have to do is

@location.coordinates = [params[:lng].to_f,params[:lat].to_f]

Fred

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/f31231c3-e425-4443-bc42-5e7107066516%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.