Fix bug: ParameterFilter should not add keys (#3431) (#4457)

If called with a hash that has a `default` / `default_proc` configured, `Devise::ParameterFilter` can add in missing keys it was due to attempt to sanitise the values for. This patch prevents this from happening, whilst also clarifying the filtering intent of `ParamaterFilter`. (This can also occur if NilClass has been augmented with definitions for `strip` or `downcase`.) Fixes #3431.
2022-11-09 12:18:31 -05:00 · 2018-05-15 14:47:18 +01:00 · 2018-05-15 14:47:18 +01:00 · 31aceeb104
commit 31aceeb104
parent af8f7e9797
2 changed files with 9 additions and 0 deletions
--- a/lib/devise/parameter_filter.rb
+++ b/lib/devise/parameter_filter.rb
@ -18,6 +18,8 @@ module Devise

    def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
      condition_keys.each do |k|
+        next unless conditions.key?(k)
+
        value = conditions[k]
        conditions[k] = value.send(method) if value.respond_to?(method)
      end
--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@ -88,6 +88,13 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
    assert_equal( {'strip_whitespace' => 'strip_whitespace_val', 'do_not_strip_whitespace' => ' do_not_strip_whitespace_val '}, conditions )
  end

+  test 'param filter should not add keys to filtered hash' do
+    conditions = { 'present' => 'present_val' }
+    conditions.default = ''
+    conditions = Devise::ParameterFilter.new(['not_present'], []).filter(conditions)
+    assert_equal({ 'present' => 'present_val' }, conditions)
+  end
+
  test 'should respond to password and password confirmation' do
    user = new_user
    assert user.respond_to?(:password)