From 31aceeb10429d711e5fee99f5a44b05c8c7c0f0b Mon Sep 17 00:00:00 2001 From: Josh Pencheon Date: Tue, 15 May 2018 14:47:18 +0100 Subject: [PATCH] Fix bug: `ParameterFilter` should not add keys (#3431) (#4457) If called with a hash that has a `default` / `default_proc` configured, `Devise::ParameterFilter` can add in missing keys it was due to attempt to sanitise the values for. This patch prevents this from happening, whilst also clarifying the filtering intent of `ParamaterFilter`. (This can also occur if NilClass has been augmented with definitions for `strip` or `downcase`.) Fixes #3431. --- lib/devise/parameter_filter.rb | 2 ++ test/models/database_authenticatable_test.rb | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/lib/devise/parameter_filter.rb b/lib/devise/parameter_filter.rb index d61e66d1..11e6f9c0 100644 --- a/lib/devise/parameter_filter.rb +++ b/lib/devise/parameter_filter.rb @@ -18,6 +18,8 @@ module Devise def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys) condition_keys.each do |k| + next unless conditions.key?(k) + value = conditions[k] conditions[k] = value.send(method) if value.respond_to?(method) end diff --git a/test/models/database_authenticatable_test.rb b/test/models/database_authenticatable_test.rb index 4e2c6d72..ffd5f291 100644 --- a/test/models/database_authenticatable_test.rb +++ b/test/models/database_authenticatable_test.rb @@ -88,6 +88,13 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase assert_equal( {'strip_whitespace' => 'strip_whitespace_val', 'do_not_strip_whitespace' => ' do_not_strip_whitespace_val '}, conditions ) end + test 'param filter should not add keys to filtered hash' do + conditions = { 'present' => 'present_val' } + conditions.default = '' + conditions = Devise::ParameterFilter.new(['not_present'], []).filter(conditions) + assert_equal({ 'present' => 'present_val' }, conditions) + end + test 'should respond to password and password confirmation' do user = new_user assert user.respond_to?(:password)