Dup arrays that get "converted"

We don't want to expose these cache keys to users because users can mutate the key causing the cache to behave inconsistently. Fixes: #43681
2022-11-09 12:12:34 -05:00 · 2021-12-15 14:05:24 -08:00 · 2021-12-15 14:05:24 -08:00 · 8159996ea0
commit 8159996ea0
parent 334dfef1f5
2 changed files with 14 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@ -963,7 +963,7 @@ module ActionController
        when Array
          return value if converted_arrays.member?(value)
          converted = value.map { |_| convert_value_to_parameters(_) }
-          converted_arrays << converted
+          converted_arrays << converted.dup
          converted
        when Hash
          self.class.new(value)
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@ -253,6 +253,19 @@ class ParametersPermitTest < ActiveSupport::TestCase
    assert_not_predicate permitted[:users].last, :permitted?
  end

+  test "grow until set rehashes" do
+    params = ActionController::Parameters.new(users: [{ id: 1 }])
+
+    permitted = params.permit(users: [:id])
+    permitted[:users] << { injected: 1 }
+    20.times { |i|
+      list = ["foo#{i}"]
+      permitted[:xx] = list
+      assert_equal permitted[:xx], list
+    }
+    assert_not_predicate permitted[:users].last, :permitted?
+  end
+
  test "fetch doesn't raise ParameterMissing exception if there is a default" do
    assert_equal "monkey", @params.fetch(:foo, "monkey")
    assert_equal "monkey", @params.fetch(:foo) { "monkey" }