Prevent mutation of orig values during case and wspace sanitizations

2022-11-09 12:18:31 -05:00 · 2013-10-17 18:07:42 -05:00 · 2013-10-17 18:07:42 -05:00 · 4861436298
commit 4861436298
parent 844d467ab9
2 changed files with 24 additions and 5 deletions
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@ -174,23 +174,24 @@ module Devise
      end

      def downcase_keys
-        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase!) }
+        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase) }
      end

      def strip_whitespace
-        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip!) }
+        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip) }
      end

      def apply_to_attribute_or_variable(attr, method)
        if self[attr]
-          self[attr].try(method)
+          self[attr] = self[attr].try(method)

        # Use respond_to? here to avoid a regression where globally
        # configured strip_whitespace_keys or case_insensitive_keys were
        # attempting to strip! or downcase! when a model didn't have the
        # globally configured key.
-        elsif respond_to?(attr)
-          send(attr).try(method)
+        elsif respond_to?(attr) && respond_to?("#{attr}=")
+          new_value = send(attr).try(method)
+          send("#{attr}=", new_value)
        end
      end

--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@ -24,6 +24,15 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
    assert_equal confirmation.downcase, user.email_confirmation
  end

+  test 'should not mutate value assigned to case insensitive key' do
+    email          = 'Foo@Bar.com'
+    original_email = email.dup
+    user           = new_user(:email => email)
+
+    user.save!
+    assert_equal original_email, email
+  end
+
  test 'should remove whitespace from strip whitespace keys when saving' do
    # strip_whitespace_keys is set to :email by default.
    email = ' foo@bar.com '
@ -34,6 +43,15 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
    assert_equal email.strip, user.email
  end

+  test 'should not mutate value assigned to string whitespace key' do
+    email          = ' foo@bar.com '
+    original_email = email.dup
+    user           = new_user(:email => email)
+
+    user.save!
+    assert_equal original_email, email
+  end
+
  test "doesn't throw exception when globally configured strip_whitespace_keys are not present on a model" do
    swap Devise, :strip_whitespace_keys => [:fake_key] do
      assert_nothing_raised { create_user }