Blogmark

This includes an interesting bit of history about a GitHub hack that inspired the need for strong parameters in Rails.

If you want to see a real-world example, in 2012 GitHub was compromised by this vulnerability. A GitHub user used mass assignment that gave him administrator privileges to none other than the Ruby on Rails project.

The article goes on to demonstrate the basics of using strong params. It even shows off a new-to-me expect method that was added in Rails 8 that is more ergonomic than the require/permit syntax.

# require/permit
user_params = params.require(:user).permit(:name, :location)

# expect
user_params = params.expect(user: [:name, :location])