diff --git a/app/controllers/admin/variant_overrides_controller.rb b/app/controllers/admin/variant_overrides_controller.rb
index 41c95a4451..3530b3648f 100644
--- a/app/controllers/admin/variant_overrides_controller.rb
+++ b/app/controllers/admin/variant_overrides_controller.rb
@@ -68,7 +68,7 @@ module Admin
     end
 
     def load_collection
-      collection_hash = Hash[params[:variant_overrides].each_with_index.map { |vo, i| [i, vo] }]
+      collection_hash = Hash[variant_overrides_params.each_with_index.map { |vo, i| [i, vo] }]
       @vo_set = VariantOverrideSet.new @variant_overrides, collection_attributes: collection_hash
     end
 
@@ -92,5 +92,15 @@ module Admin
       full_messages.each { |fm| errors.add(:base, fm) }
       errors
     end
+
+    def variant_overrides_params
+      params.require(:variant_overrides).map do |variant_override|
+        variant_override.permit(
+          :id, :variant_id, :hub_id,
+          :price, :count_on_hand, :sku, :on_demand,
+          :default_stock, :resettable, :tag_list
+        )
+      end
+    end
   end
 end
diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb
index 0b18072869..fe727ac77e 100644
--- a/app/controllers/spree/admin/products_controller.rb
+++ b/app/controllers/spree/admin/products_controller.rb
@@ -160,10 +160,22 @@ module Spree
       private
 
       def product_set_from_params(params)
-        collection_hash = Hash[params[:products].each_with_index.map { |p, i| [i, p] }]
+        collection_hash = Hash[products_params.each_with_index.map { |p, i| [i, p] }]
         Spree::ProductSet.new(collection_attributes: collection_hash)
       end
 
+      def products_params
+        params.require(:products).map do |product|
+          product.permit(::PermittedAttributes::Product.attributes)
+        end
+      end
+
+      def permitted_resource_params
+        return params[:product] if params[:product].empty?
+
+        params.require(:product).permit(::PermittedAttributes::Product.attributes)
+      end
+
       def bulk_index_query(params)
         params[:filters].to_h.merge(page: params[:page], per_page: params[:per_page])
       end
diff --git a/app/controllers/spree/admin/resource_controller.rb b/app/controllers/spree/admin/resource_controller.rb
index d1ce6e8b27..8b7c0cde12 100644
--- a/app/controllers/spree/admin/resource_controller.rb
+++ b/app/controllers/spree/admin/resource_controller.rb
@@ -28,7 +28,7 @@ module Spree
 
       def update
         invoke_callbacks(:update, :before)
-        if @object.update_attributes(params[object_name])
+        if @object.update_attributes(permitted_resource_params)
           invoke_callbacks(:update, :after)
           flash[:success] = flash_message_for(@object, :successfully_updated)
           respond_with(@object) do |format|
@@ -43,7 +43,7 @@ module Spree
 
       def create
         invoke_callbacks(:create, :before)
-        @object.attributes = params[object_name]
+        @object.attributes = permitted_resource_params
         if @object.save
           invoke_callbacks(:create, :after)
           flash[:success] = flash_message_for(@object, :successfully_created)
@@ -251,6 +251,13 @@ module Spree
         end
       end
 
+      # Permit specific list of params
+      #
+      # Example: params.require(object_name).permit(:name)
+      def permitted_resource_params
+        raise "All extending controllers need to override the method permitted_resource_params"
+      end
+
       def collection_url(options = {})
         if parent_data.present?
           spree.polymorphic_url([:admin, parent, model_class], options)
diff --git a/app/controllers/spree/admin/variants_controller.rb b/app/controllers/spree/admin/variants_controller.rb
index 2e95fc0a9b..0936ffd155 100644
--- a/app/controllers/spree/admin/variants_controller.rb
+++ b/app/controllers/spree/admin/variants_controller.rb
@@ -63,6 +63,14 @@ module Spree
                         end
         @collection
       end
+
+      def variant_params
+        params.require(:variant).permit(::PermittedAttributes::Variant.attributes)
+      end
+
+      def permitted_resource_params
+        variant_params
+      end
     end
   end
 end
diff --git a/app/services/permitted_attributes/product.rb b/app/services/permitted_attributes/product.rb
new file mode 100644
index 0000000000..13ff8d56ef
--- /dev/null
+++ b/app/services/permitted_attributes/product.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class Product
+    def self.attributes
+      [
+        :id, :name, :description, :supplier_id, :price, :cost_price, :permalink,
+        :variant_unit, :variant_unit_scale, :unit_value, :unit_description, :variant_unit_name,
+        :display_as, :sku, :available_on, :group_buy, :group_buy_unit_size,
+        :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id,
+        :meta_keywords, :meta_description, :notes, :inherits_properties,
+        product_properties_attributes: [:id, :property_name, :value],
+        variants_attributes: [PermittedAttributes::Variant.attributes],
+        images_attributes: [:attachment]
+      ]
+    end
+  end
+end
diff --git a/app/services/permitted_attributes/variant.rb b/app/services/permitted_attributes/variant.rb
new file mode 100644
index 0000000000..a04928af0d
--- /dev/null
+++ b/app/services/permitted_attributes/variant.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class Variant
+    def self.attributes
+      [
+        :id, :sku, :on_hand, :on_demand,
+        :cost_price, :price, :unit_value, :unit_description,
+        :display_name, :display_as,
+        :weight, :height, :width, :depth
+      ]
+    end
+  end
+end