1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Merge pull request #35336 from kamipo/dont_allow_non_numeric_string_matches_to_zero

Don't allow `where` with non numeric string matches to 0 values
This commit is contained in:
Ryuta Kamizono 2019-02-21 18:58:44 +09:00 committed by GitHub
commit f8a798c8e6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 23 additions and 9 deletions

View file

@ -26,15 +26,18 @@ module ActiveModel
private private
def number_to_non_number?(old_value, new_value_before_type_cast) def number_to_non_number?(old_value, new_value_before_type_cast)
old_value != nil && non_numeric_string?(new_value_before_type_cast) old_value != nil && non_numeric_string?(new_value_before_type_cast.to_s)
end end
def non_numeric_string?(value) def non_numeric_string?(value)
# 'wibble'.to_i will give zero, we want to make sure # 'wibble'.to_i will give zero, we want to make sure
# that we aren't marking int zero to string zero as # that we aren't marking int zero to string zero as
# changed. # changed.
!/\A[-+]?\d+/.match?(value.to_s) !NUMERIC_REGEX.match?(value)
end end
NUMERIC_REGEX = /\A\s*[+-]?\d/
private_constant :NUMERIC_REGEX
end end
end end
end end

View file

@ -19,11 +19,8 @@ module ActiveModel
end end
def serialize(value) def serialize(value)
result = super return if value.is_a?(::String) && non_numeric_string?(value)
if result ensure_in_range(super)
ensure_in_range(result)
end
result
end end
private private
@ -34,9 +31,10 @@ module ActiveModel
end end
def ensure_in_range(value) def ensure_in_range(value)
unless range.cover?(value) if value && !range.cover?(value)
raise ActiveModel::RangeError, "#{value} is out of range for #{self.class} with limit #{_limit} bytes" raise ActiveModel::RangeError, "#{value} is out of range for #{self.class} with limit #{_limit} bytes"
end end
value
end end
def max_value def max_value

View file

@ -50,6 +50,14 @@ module ActiveModel
assert_equal 7200, type.cast(2.hours) assert_equal 7200, type.cast(2.hours)
end end
test "casting string for database" do
type = Type::Integer.new
assert_nil type.serialize("wibble")
assert_equal 5, type.serialize("5wibble")
assert_equal 5, type.serialize(" +5")
assert_equal(-5, type.serialize(" -5"))
end
test "casting empty string" do test "casting empty string" do
type = Type::Integer.new type = Type::Integer.new
assert_nil type.cast("") assert_nil type.cast("")

View file

@ -1,3 +1,7 @@
* Don't allow `where` with non numeric string matches to 0 values.
*Ryuta Kamizono*
* Introduce `ActiveRecord::Relation#destroy_by` and `ActiveRecord::Relation#delete_by`. * Introduce `ActiveRecord::Relation#destroy_by` and `ActiveRecord::Relation#delete_by`.
`destroy_by` allows relation to find all the records matching the condition and perform `destroy_by` allows relation to find all the records matching the condition and perform

View file

@ -51,8 +51,9 @@ module ActiveRecord
end end
def test_where_with_invalid_value def test_where_with_invalid_value
topics(:first).update!(written_on: nil, bonus_time: nil, last_read: nil) topics(:first).update!(parent_id: 0, written_on: nil, bonus_time: nil, last_read: nil)
assert_empty Topic.where(parent_id: Object.new) assert_empty Topic.where(parent_id: Object.new)
assert_empty Topic.where(parent_id: "not-a-number")
assert_empty Topic.where(written_on: "") assert_empty Topic.where(written_on: "")
assert_empty Topic.where(bonus_time: "") assert_empty Topic.where(bonus_time: "")
assert_empty Topic.where(last_read: "") assert_empty Topic.where(last_read: "")