Protect against fallback: false for exists?

[namolnad]

I noticed that exists? with fallback: false is potentially still exposed to an enumeration vulnerability, which would allow attackers to determine things like the number of records in a table. E.g. If an attacker were to discover an endpoint that was backed simply by Record.exists? then this would allow them to pass in a non-prefixed id and potentially determine information like the number of records in a given table, even if fallback was set to false. I think this change makes the behavior a bit safer and more predictable, though I was unsure how to handle array find-conditions, so have treated those as unsupported for now.

Hopefully this is helpful. Let me know what you think :)

[excid3]

I'm tempted to just remove the exists? override and recommend using decode_prefix_id(params[:id]) before calling exists?.

We'll end up with more and more of workarounds the more we override Rails features which doesn't seem like a good long-term approach.

[namolnad]

@excid3 I feel like that could be a good idea. I've been finding more and more edge cases to handle for the current state of the world, which already seems a bit shaky/nebulous. Not to mention these all seem to mess with fixture accessor setup from any Rails version before 7.1 (hence the test failures)

[excid3]

I think that's the route we'll take. The find override isn't too bad and is 99% of the usage I think.

[namolnad]

Makes sense! The removal via 33c7982 provides the protection I was thinking was needed, so 👍 all around. Thanks for working with me on it!

[excid3]

Thanks for your help on this too @namolnad! This feels like a good move all around.