kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

converts hashes in arrays of unfiltered params to unpermitted params [fixes #13382]

Browse source
This commit is contained in:
Xavier Noria 2013-12-21 01:11:47 +01:00
parent fbb79b517f
commit 92f9ff8cc3
3 changed files with 23 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
actionpack/CHANGELOG.md
View file

@ -1,3 +1,9 @@
* Converts hashes in arrays of unfiltered params to unpermitted params.
Fixes #13382
*Xavier Noria*
* New config option to opt out of params "deep munging" that was used to
address security vulnerability CVE-2013-0155. In your app config:

13
actionpack/lib/action_controller/metal/strong_parameters.rb
View file

@ -330,11 +330,18 @@ module ActionController
private
def convert_hashes_to_parameters(key, value)
if value.is_a?(Parameters) || !value.is_a?(Hash)
converted = convert_value_to_parameters(value)
self[key] = converted unless converted.equal?(value)
converted
end
def convert_value_to_parameters(value)
if value.is_a?(Array)
value.map { |_| convert_value_to_parameters(_) }
elsif value.is_a?(Parameters) || !value.is_a?(Hash)
value
else
# Convert to Parameters on first access
self[key] = self.class.new(value)
self.class.new(value)
end
end

7
actionpack/test/controller/parameters/parameters_permit_test.rb
View file

@ -153,6 +153,13 @@ class ParametersPermitTest < ActiveSupport::TestCase
assert_equal nil, params[:foo]
end
test 'hashes in array values get wrapped' do
params = ActionController::Parameters.new(foo: [{}, {}])
params[:foo].each do |hash|
assert !hash.permitted?
end
end
test "fetch doesnt raise ParameterMissing exception if there is a default" do
assert_equal "monkey", @params.fetch(:foo, "monkey")
assert_equal "monkey", @params.fetch(:foo) { "monkey" }