mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
306dc1a499
If the request parameters are passed to create_with and where they can be used to do mass assignment when used in combination with Relation#create. Fixes CVE-2014-3514 Conflicts: activerecord/lib/active_record/relation/query_methods.rb
28 lines
807 B
Ruby
28 lines
807 B
Ruby
module ActiveModel
|
|
# Raised when forbidden attributes are used for mass assignment.
|
|
#
|
|
# class Person < ActiveRecord::Base
|
|
# end
|
|
#
|
|
# params = ActionController::Parameters.new(name: 'Bob')
|
|
# Person.new(params)
|
|
# # => ActiveModel::ForbiddenAttributesError
|
|
#
|
|
# params.permit!
|
|
# Person.new(params)
|
|
# # => #<Person id: nil, name: "Bob">
|
|
class ForbiddenAttributesError < StandardError
|
|
end
|
|
|
|
module ForbiddenAttributesProtection # :nodoc:
|
|
protected
|
|
def sanitize_for_mass_assignment(attributes)
|
|
if attributes.respond_to?(:permitted?) && !attributes.permitted?
|
|
raise ActiveModel::ForbiddenAttributesError
|
|
else
|
|
attributes
|
|
end
|
|
end
|
|
alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment
|
|
end
|
|
end
|