adding test for CVE

2026-01-09 14:48:01 -05:00 · 2013-02-09 17:00:59 -08:00
parent 060bb7250b
commit c35d913524
1 changed files with 10 additions and 0 deletions
--- a/activerecord/test/cases/mass_assignment_security_test.rb
+++ b/activerecord/test/cases/mass_assignment_security_test.rb
@@ -300,6 +300,16 @@ class MassAssignmentSecurityTest < ActiveRecord::TestCase
    assert_admin_attributes(p, true)
  end

+  def test_attr_protected_with_newline
+    p = LoosePerson.new
+    assert_raises(ActiveRecord::UnknownAttributeError) do
+      p.attributes = {"comments=\n"=>"hax"}
+    end
+    assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+    p.attributes= {"comments(1)\n" => "hax"}
+    assert_nil p.comments, "Comments is meant to be attr_protected but I assigned it with attributes="
+  end
+
 end