github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-09 14:48:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

stop calling to_sym when building arel nodes [CVE-2013-1854]

Browse Source
This commit is contained in:
Aaron Patterson
2013-03-05 14:52:08 -08:00
parent 488699166c
commit f980289fd2
4 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
activerecord/lib/active_record/relation.rb
View File

@@ -464,7 +464,7 @@ module ActiveRecord
node.left.relation.name == table_name
}
Hash[equalities.map { |where| [where.left.name, where.right] }]
Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
end
def scope_for_create

2
activerecord/lib/active_record/relation/predicate_builder.rb
View File

@@ -20,7 +20,7 @@ module ActiveRecord
table = Arel::Table.new(table_name, engine)
end
attribute = table[column.to_sym]
attribute = table[column]
case value
when ActiveRecord::Relation

10
activerecord/test/cases/method_scoping_test.rb
View File

@@ -212,14 +212,14 @@ class MethodScopingTest < ActiveRecord::TestCase
table = VerySpecialComment.arel_table
relation = VerySpecialComment.scoped
relation.where_values << table[:id].not_eq(1)
assert_equal({:type => "VerySpecialComment"}, relation.send(:scope_for_create))
assert_equal({'type' => "VerySpecialComment"}, relation.send(:scope_for_create))
end
def test_scoped_create
new_comment = nil
VerySpecialComment.send(:with_scope, :create => { :post_id => 1 }) do
assert_equal({:post_id => 1, :type => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
assert_equal({'post_id' => 1, 'type' => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
new_comment = VerySpecialComment.create :body => "Wonderful world"
end
@@ -228,7 +228,7 @@ class MethodScopingTest < ActiveRecord::TestCase
def test_scoped_create_with_join_and_merge
Comment.where(:body => "but Who's Buying?").joins(:post).merge(Post.where(:body => 'Peace Sells...')).with_scope do
assert_equal({:body => "but Who's Buying?"}, Comment.scoped.scope_for_create)
assert_equal({'body' => "but Who's Buying?"}, Comment.scoped.scope_for_create)
end
end
@@ -441,7 +441,7 @@ class NestedScopingTest < ActiveRecord::TestCase
comment = nil
Comment.send(:with_scope, :create => { :post_id => 1}) do
Comment.send(:with_scope, :create => { :post_id => 2}) do
assert_equal({:post_id => 2}, Comment.scoped.send(:scope_for_create))
assert_equal({'post_id' => 2}, Comment.scoped.send(:scope_for_create))
comment = Comment.create :body => "Hey guys, nested scopes are broken. Please fix!"
end
end
@@ -453,7 +453,7 @@ class NestedScopingTest < ActiveRecord::TestCase
Comment.send(:with_scope, :create => { :body => "Hey guys, nested scopes are broken. Please fix!" }) do
Comment.send(:with_exclusive_scope, :create => { :post_id => 1 }) do
assert_equal({:post_id => 1}, Comment.scoped.send(:scope_for_create))
assert_equal({'post_id' => 1}, Comment.scoped.send(:scope_for_create))
assert_blank Comment.new.body
comment = Comment.create :body => "Hey guys"
end

6
activerecord/test/cases/relation_test.rb
View File

@@ -71,7 +71,7 @@ module ActiveRecord
def test_has_values
relation = Relation.new Post, Post.arel_table
relation.where_values << relation.table[:id].eq(10)
assert_equal({:id => 10}, relation.where_values_hash)
assert_equal({'id' => 10}, relation.where_values_hash)
end
def test_values_wrong_table
@@ -101,7 +101,7 @@ module ActiveRecord
def test_create_with_value
relation = Relation.new Post, Post.arel_table
hash = { :hello => 'world' }
hash = { 'hello' => 'world' }
relation.create_with_value = hash
assert_equal hash, relation.scope_for_create
end
@@ -110,7 +110,7 @@ module ActiveRecord
relation = Relation.new Post, Post.arel_table
relation.where_values << relation.table[:id].eq(10)
relation.create_with_value = {:hello => 'world'}
assert_equal({:hello => 'world', :id => 10}, relation.scope_for_create)
assert_equal({'hello' => 'world', 'id' => 10}, relation.scope_for_create)
end
# FIXME: is this really wanted or expected behavior?