ruby-on-rails - 默认情况下，Rails 如何污染活动记录列？

Question

关于 Rails 魔法的问题：

我在玩 IRB 和污染？方法，然后我只是做了以下事情：

>> User.first.attributes.collect { |column, value| [column, value.tainted?] }
=> [["phone", true], ["state", false], ["persistence_token", true], ["last_login_ip", true], ["country", true], ["login_count", false], ["last_request_at", false], ["id", false], ["forname", true], ["current_login_at", false], ["name", true]]

有谁知道为什么有些参数被污染而有些没有？如果有办法选择应该污染哪一列？

编辑：

感谢您的回答。

@sgtFloyd：我只是尝试手动更新国家/地区。这就是正在发生的事情：

>> u = User.first
>> u.country = "USA"
=> "USA"
>> u.country.tainted?
=> false
>> u.save
=> true
>> u.country.tainted?
=> false
>> u.reload
>> u.country.tainted?
=> true
>> u.country.class
=> String # it's also string in the database

编辑 2：

我删除了 User 模型中的所有内容，并且一些 String 列看起来没有被污染，而有些则......

非常感谢！

Answer 1

污点和污点？是 Ruby 的 Object 类的方法。如果您正在寻找在您的 Rails 应用程序中修改了哪些对象，您可能正在寻找更改？

@customer.email = 'new@email.com'
do_something if @customer.email_changed? 

Answer 2

AFAIK, Rails does not make use of taint, it keeps track of changes, and html_safe conditions, but I have not seen any mention of taint. The ruby docs for taint say it is supposed to be tainted when it comes from external sources, I would guess that has something to do with the sql libraries in use. But without seeing that library itself, I can't guess as to why some are tainted and some aren't.

Running that code on my projects comes up with all false. It likely depends on what version of ruby/rails etc you are running, and since it isn't defined by rails, is probably unsuitable to depend on.

Answer 3

From Programming Ruby

Any Ruby object derived from some external source (for example, a string read from a file, or an environment variable) is automatically marked as being tainted. If your program uses a tainted object to derive a new object, then that new object will also be tainted...

From your example, columns like last_login_at, password_salt and created_at are created and handled solely internally, without using any user input. phone, email, country etc. are derived from user input, so they're intrinsically untrustworthy.