Rails 4.1.5 Security Fix Breaks Model.where(attributes)

YIKES! Rails 4.1.5 requires you to use safe params for any param to where that is_a? Hash

For example, if you were doing a Model.where using slice to take some keys out of some object that derives from Hash, then your code will throw this error when you migrate from Rails 4.1.4 to Rails 4.1.5:

An ActiveModel::ForbiddenAttributesError occurred in omniauth_callbacks#facebook:

In my case, I was calling this code:

def find_for_facebook_oauth(auth)
  Authentication.where(auth.slice(:provider, :uid)).first.try(:user)

One fix is to call this:

def find_for_facebook_oauth(auth)
  Authentication.where(provider: auth["provider"], uid: auth["uid"]).first.try(:user)

The problem is that auth.slice(:provider, :uid)) returns a Hash (actually a OmniAuth::AuthHash which is a Hashie::Mash which is a Hash, and so it gets sanitized!

Here’s the change:

What is the recommendation for this? Do we need to inspect all places where gets used? The problem is that where is at the model level, and secure params is at the Controller level.