Rails 5: Attempting to generate a URL from non-sanitized request parameters - How to find params to whitelist

Question

I'm using Rails 5 and this link

 <%= link_to 'Pdf', payments_path(params.merge(format: :pdf)), :target => "_blank" %>

causes:

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

I have seen few questions on this issue already and how is the .merge that causes this.

For a while I just used params.permit! to avoid to face the problem but obviously that's not a solution.

So I understand I have to whitelist necessary params.

Isn't enough to create the usual:

 def whatever_params
     params.require(:whatever).permit(.....)
end

and whitelist all necesssary params?

I'm new to rails and so far I whitelisted params for forms, so regarding POST parameteres. In that case I just include params used in form fields. But I understand this is regarding params on url, so query string parameters. So is this regarding params passed to url from ransack or will_paginate (gems I'm using)? This confuses me..

How do I exactly check which params need to be whitelisted to avoid to receive that error?

Answer 1

1.Yes. It's enough to create simple method like whatever_params and use params.require(:whatever).permit(..) or params.permit(...)

2.Move all params that you use to whitelist. For example, you have GET request with tons of params but use only some of them and they are optional:

def my_params
  params.permit(:category, :name, :age) #params that you use
end