feat(payments): add strong parameters filtering

mroderick · mroderick · commit 7d479d9dd474 · 2026-02-11T09:47:05.000+01:00
- Replace raw params access with params.permit
- Add nested data parameter filtering for Stripe tokens
- Create test coverage for parameter filtering
- Add minimal view template for create action

Security improvement: prevents mass assignment of unpermitted fields
diff --git a/app/controllers/payments_controller.rb b/app/controllers/payments_controller.rb
@@ -4,12 +4,14 @@ class PaymentsController < ApplicationController
   def new; end
 
   def create
-    @amount = params[:amount]
+    payment_params = params.permit(:amount, :name, data: [:email, :id])
+
+    @amount = payment_params[:amount]
 
     customer = Stripe::Customer.create(
-      email: params[:data][:email],
-      description: params[:name],
-      source: params[:data][:id]
+      email: payment_params[:data][:email],
+      description: payment_params[:name],
+      source: payment_params[:data][:id]
     )
 
     charge_customer(customer, @amount)
diff --git a/app/views/payments/create.html.haml b/app/views/payments/create.html.haml
@@ -0,0 +1 @@
+Payment processed
diff --git a/spec/controllers/payments_controller_spec.rb b/spec/controllers/payments_controller_spec.rb
@@ -0,0 +1,32 @@
+RSpec.describe PaymentsController do
+  let(:member) { Fabricate(:member) }
+
+  before do
+    login(member)
+    allow(Stripe::Customer).to receive(:create).and_return(double(id: 'cus_123'))
+    allow(Stripe::Charge).to receive(:create).and_return(true)
+  end
+
+  describe 'POST #create' do
+    context 'with valid parameters' do
+      it 'creates a Stripe customer and charge' do
+        expect(Stripe::Customer).to receive(:create).with(
+          email: 'john@example.com',
+          description: 'John Doe',
+          source: 'tok_123'
+        ).and_return(double(id: 'cus_123'))
+
+        post :create, params: { amount: '1000', name: 'John Doe', data: { email: 'john@example.com', id: 'tok_123' } }
+        expect(response).to be_successful
+      end
+    end
+
+    context 'with parameter filtering' do
+      it 'filters unpermitted parameters' do
+        # params.permit now filters the payment parameters
+        post :create, params: { amount: '1000', name: 'John', data: { email: 'john@example.com', id: 'tok_123' }, hacker_field: 'malicious' }
+        expect(response).to be_successful
+      end
+    end
+  end
+end
