1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
rails--rails/actionpack/test/dispatch/request/query_string_parsing_test.rb
Jose and Yehuda 56cdc81c08 Remove default match without specified method
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes #5964
2012-04-24 22:52:26 -05:00

120 lines
3.5 KiB
Ruby

require 'abstract_unit'
class QueryStringParsingTest < ActionDispatch::IntegrationTest
class TestController < ActionController::Base
class << self
attr_accessor :last_query_parameters
end
def parse
self.class.last_query_parameters = request.query_parameters
head :ok
end
end
def teardown
TestController.last_query_parameters = nil
end
test "query string" do
assert_parses(
{"action" => "create_customer", "full_name" => "David Heinemeier Hansson", "customerId" => "1"},
"action=create_customer&full_name=David%20Heinemeier%20Hansson&customerId=1"
)
end
test "deep query string" do
assert_parses(
{'x' => {'y' => {'z' => '10'}}},
"x[y][z]=10"
)
end
test "deep query string with array" do
assert_parses({'x' => {'y' => {'z' => ['10']}}}, 'x[y][z][]=10')
assert_parses({'x' => {'y' => {'z' => ['10', '5']}}}, 'x[y][z][]=10&x[y][z][]=5')
end
test "deep query string with array of hash" do
assert_parses({'x' => {'y' => [{'z' => '10'}]}}, 'x[y][][z]=10')
assert_parses({'x' => {'y' => [{'z' => '10', 'w' => '10'}]}}, 'x[y][][z]=10&x[y][][w]=10')
assert_parses({'x' => {'y' => [{'z' => '10', 'v' => {'w' => '10'}}]}}, 'x[y][][z]=10&x[y][][v][w]=10')
end
test "deep query string with array of hashes with one pair" do
assert_parses({'x' => {'y' => [{'z' => '10'}, {'z' => '20'}]}}, 'x[y][][z]=10&x[y][][z]=20')
end
test "deep query string with array of hashes with multiple pairs" do
assert_parses(
{'x' => {'y' => [{'z' => '10', 'w' => 'a'}, {'z' => '20', 'w' => 'b'}]}},
'x[y][][z]=10&x[y][][w]=a&x[y][][z]=20&x[y][][w]=b'
)
end
test "query string with nil" do
assert_parses(
{ "action" => "create_customer", "full_name" => ''},
"action=create_customer&full_name="
)
end
test "query string with array" do
assert_parses(
{ "action" => "create_customer", "selected" => ["1", "2", "3"]},
"action=create_customer&selected[]=1&selected[]=2&selected[]=3"
)
end
test "query string with amps" do
assert_parses(
{ "action" => "create_customer", "name" => "Don't & Does"},
"action=create_customer&name=Don%27t+%26+Does"
)
end
test "query string with many equal" do
assert_parses(
{ "action" => "create_customer", "full_name" => "abc=def=ghi"},
"action=create_customer&full_name=abc=def=ghi"
)
end
test "query string without equal" do
assert_parses({ "action" => nil }, "action")
end
test "query string with empty key" do
assert_parses(
{ "action" => "create_customer", "full_name" => "David Heinemeier Hansson" },
"action=create_customer&full_name=David%20Heinemeier%20Hansson&=Save"
)
end
test "query string with many ampersands" do
assert_parses(
{ "action" => "create_customer", "full_name" => "David Heinemeier Hansson"},
"&action=create_customer&&&full_name=David%20Heinemeier%20Hansson"
)
end
test "unbalanced query string with array" do
assert_parses(
{'location' => ["1", "2"], 'age_group' => ["2"]},
"location[]=1&location[]=2&age_group[]=2"
)
end
private
def assert_parses(expected, actual)
with_routing do |set|
set.draw do
get ':action', :to => ::QueryStringParsingTest::TestController
end
get "/parse", actual
assert_response :ok
assert_equal(expected, ::QueryStringParsingTest::TestController.last_query_parameters)
end
end
end