Today I Learned

A Hashrocket project

deep_munge, I hardly knew ye.

Rails 4.1.8 has a method called deep_munge which is intended to massage params to convert empty arrays into nils in response to security issues like http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660.

This can be tricky when sending in a json string as post data that may have some values that should be empty arrays. Those empty arrays will get converted to nil.

To get around that rails 4.1.8 added a configuration option

config.action_dispatch.perform_deep_munge = false

Rails 5.0 intends to not have the same sql injection vulnerabilities and so have removed the deep_munge method that would change an empty array value to nil but have left in the configuration option which produces behavior best described by looking at the tests.

Rails source

Looking for help? Hashrocket has been an industry leader in Ruby on Rails since 2008. Rails is a core skill for each developer at Hashrocket, and we'd love to take a look at your project. Contact us and find out how we can help you.