store enum mapping using `Strings` instead of `Symbols`.

This allows to assign both `String` and `Symbol` values to the enum
without having to call `to_sym`, which is a security problem.

2 files changed, 9 insertions, 3 deletions

diff --git a/activerecord/lib/active_record/enum.rb b/activerecord/lib/active_record/enum.rb
index 6bfdf75a2d..a70638f3df 100644
--- a/activerecord/lib/active_record/enum.rb
+++ b/activerecord/lib/active_record/enum.rb
@@ -43,6 +43,7 @@ module ActiveRecord
         _enum_methods_module.module_eval do
           # def direction=(value) self[:direction] = DIRECTION[value] end
           define_method("#{name}=") { |value|
+            value = value.to_s
             unless enum_values.has_key?(value)
               raise ArgumentError, "'#{value}' is not a valid #{name}"
             end
@@ -54,7 +55,7 @@ module ActiveRecord
 
           pairs = values.respond_to?(:each_pair) ? values.each_pair : values.each_with_index
           pairs.each do |value, i|
-            enum_values[value] = i
+            enum_values[value.to_s] = i
 
             # scope :incoming, -> { where direction: 0 }
             klass.scope value, -> { klass.where name => i }
diff --git a/activerecord/test/cases/enum_test.rb b/activerecord/test/cases/enum_test.rb
index 087db4c32c..54cc60913a 100644
--- a/activerecord/test/cases/enum_test.rb
+++ b/activerecord/test/cases/enum_test.rb
@@ -17,8 +17,8 @@ class EnumTest < ActiveRecord::TestCase
   end
 
   test "query state with symbol" do
-    assert_equal :proposed, @book.status
-    assert_equal :unread, @book.read_status
+    assert_equal "proposed", @book.status
+    assert_equal "unread", @book.read_status
   end
 
   test "find via scope" do
@@ -46,6 +46,11 @@ class EnumTest < ActiveRecord::TestCase
     assert @book.written?
   end
 
+  test "assign string value" do
+    @book.status = "written"
+    assert @book.written?
+  end
+
   test "assign non existing value raises an error" do
     e = assert_raises(ArgumentError) do
       @book.status = :unknown