Almost all of these exceptions are not real bugs but annoyances giving 500 on invalid URLs and invalid forms. But it’s a noise under which exceptions corresponding to real bugs can hide. I receive lots of similar exceptions in Bugsnag and it’s really hard to defend against them in Rails, especially if you use nested structures in params heavily.
I wish there was layer between HTTP request and data used by app (forms, etc) configurable declaratively, so either you have valid data on output or it returns HTTP error response. Unfortunately, in Rails similar functionality is coupled to ORM, older versions had vulnerabilities due to this, and “strong parameters” introduced later is just an incomplete hack to patch these vulnerabilities.
With all that data and code patterns, it seems like a researcher could build a static analyzer that finds these. I’ve seen similar stuff for PHP in CompSci work.
Almost all of these exceptions are not real bugs but annoyances giving 500 on invalid URLs and invalid forms. But it’s a noise under which exceptions corresponding to real bugs can hide. I receive lots of similar exceptions in Bugsnag and it’s really hard to defend against them in Rails, especially if you use nested structures in
paramsheavily.I wish there was layer between HTTP request and data used by app (forms, etc) configurable declaratively, so either you have valid data on output or it returns HTTP error response. Unfortunately, in Rails similar functionality is coupled to ORM, older versions had vulnerabilities due to this, and “strong parameters” introduced later is just an incomplete hack to patch these vulnerabilities.
With all that data and code patterns, it seems like a researcher could build a static analyzer that finds these. I’ve seen similar stuff for PHP in CompSci work.