From 7bade4a4c07ef0f31b6169234a6df7318d8dfbb9 Mon Sep 17 00:00:00 2001 From: habdul-razak Date: Thu, 19 Dec 2024 21:40:08 -0500 Subject: [PATCH] Add sanitization to the passwords controller --- app/controllers/devise/passwords_controller.rb | 4 ++++ lib/devise/parameter_sanitizer.rb | 3 ++- test/parameter_sanitizer_test.rb | 7 +++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise/passwords_controller.rb b/app/controllers/devise/passwords_controller.rb index 3af1f864b7..942987214a 100644 --- a/app/controllers/devise/passwords_controller.rb +++ b/app/controllers/devise/passwords_controller.rb @@ -80,4 +80,8 @@ def unlockable?(resource) def translation_scope 'devise.passwords' end + + def resource_params + devise_parameter_sanitizer.sanitize(:reset_password) + end end diff --git a/lib/devise/parameter_sanitizer.rb b/lib/devise/parameter_sanitizer.rb index 6d9523a4f5..a00a4513b9 100644 --- a/lib/devise/parameter_sanitizer.rb +++ b/lib/devise/parameter_sanitizer.rb @@ -38,7 +38,8 @@ class ParameterSanitizer DEFAULT_PERMITTED_ATTRIBUTES = { sign_in: [:password, :remember_me], sign_up: [:password, :password_confirmation], - account_update: [:password, :password_confirmation, :current_password] + account_update: [:password, :password_confirmation, :current_password], + reset_password: [:reset_password_token, :password, :password_confirmation] } def initialize(resource_class, resource_name, params) diff --git a/test/parameter_sanitizer_test.rb b/test/parameter_sanitizer_test.rb index c00cd58eb9..9fbebf69c1 100644 --- a/test/parameter_sanitizer_test.rb +++ b/test/parameter_sanitizer_test.rb @@ -58,6 +58,13 @@ def sanitizer(params) assert_equal({ 'email' => 'jose' }, sanitized) end + test 'permits the default parameters for password reset' do + sanitizer = sanitizer('user' => { 'email' => 'jose', 'password' => 'myPassword1234', 'role' => 'invalid' }) + sanitized = sanitizer.sanitize(:reset_password) + + assert_equal({ 'email' => 'jose', 'password' => 'myPassword1234' }, sanitized) + end + test 'permits news parameters for an existing action' do sanitizer = sanitizer('user' => { 'username' => 'jose' }) sanitizer.permit(:sign_in, keys: [:username])