Deprecate :controller and :action path parameters

Allowing :controller and :action values to be specified via the path in config/routes.rb has been an underlying cause of a number of issues in Rails that have resulted in security releases. In light of this it's better that controllers and actions are explicitly whitelisted rather than trying to blacklist or sanitize 'bad' values.
author: Andrew White <andrew.white@unboxedconsulting.com> 2016-03-01 08:48:53 +0000
committer: Andrew White <andrew.white@unboxedconsulting.com> 2016-03-01 08:48:53 +0000
commit: 6520ea5f7e2215a763ca74bf6cfa87be2347d5df (patch)
tree: 4943801777acd80bd9a3f9eca812f2373ce7008b /actionpack/test/controller/new_base
parent: 1d3502c32e5553d3e9e73cb7d38db0c1d6427aaf (diff)
download: rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.gz
rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.bz2
rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.zip
7 files changed, 18 insertions, 12 deletions
diff --git a/actionpack/test/controller/new_base/content_type_test.rb b/actionpack/test/controller/new_base/content_type_test.rb
index a9dcdde4b8..0b3a26807d 100644
--- a/actionpack/test/controller/new_base/content_type_test.rb
+++ b/actionpack/test/controller/new_base/content_type_test.rb
@@ -43,7 +43,9 @@ module ContentType
     test "default response is text/plain and UTF8" do
       with_routing do |set|
         set.draw do
-          get ':controller', :action => 'index'
+          ActiveSupport::Deprecation.silence do
+            get ':controller', :action => 'index'
+          end
         end
 
         get "/content_type/base"
diff --git a/actionpack/test/controller/new_base/render_body_test.rb b/actionpack/test/controller/new_base/render_body_test.rb
index f4a3db8b41..c65c245773 100644
--- a/actionpack/test/controller/new_base/render_body_test.rb
+++ b/actionpack/test/controller/new_base/render_body_test.rb
@@ -85,7 +85,7 @@ module RenderBody
 
     test "rendering body from an action with default options renders the body with the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         get "/render_body/simple"
         assert_body "hello david"
@@ -95,7 +95,7 @@ module RenderBody
 
     test "rendering body from an action with default options renders the body without the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         get "/render_body/with_layout"
 
diff --git a/actionpack/test/controller/new_base/render_html_test.rb b/actionpack/test/controller/new_base/render_html_test.rb
index e9ea57e329..bfed136496 100644
--- a/actionpack/test/controller/new_base/render_html_test.rb
+++ b/actionpack/test/controller/new_base/render_html_test.rb
@@ -88,7 +88,7 @@ module RenderHtml
 
     test "rendering text from an action with default options renders the text with the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         get "/render_html/simple"
         assert_body "hello david"
@@ -98,7 +98,7 @@ module RenderHtml
 
     test "rendering text from an action with default options renders the text without the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         get "/render_html/with_layout"
 
diff --git a/actionpack/test/controller/new_base/render_plain_test.rb b/actionpack/test/controller/new_base/render_plain_test.rb
index 0881442bd0..94afe7bcfe 100644
--- a/actionpack/test/controller/new_base/render_plain_test.rb
+++ b/actionpack/test/controller/new_base/render_plain_test.rb
@@ -80,7 +80,7 @@ module RenderPlain
 
     test "rendering text from an action with default options renders the text with the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         get "/render_plain/simple"
         assert_body "hello david"
@@ -90,7 +90,7 @@ module RenderPlain
 
     test "rendering text from an action with default options renders the text without the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         get "/render_plain/with_layout"
 
diff --git a/actionpack/test/controller/new_base/render_template_test.rb b/actionpack/test/controller/new_base/render_template_test.rb
index b06ce5db40..0d4c7cdb0a 100644
--- a/actionpack/test/controller/new_base/render_template_test.rb
+++ b/actionpack/test/controller/new_base/render_template_test.rb
@@ -177,7 +177,7 @@ module RenderTemplate
   class TestWithLayout < Rack::TestCase
     test "rendering with implicit layout" do
       with_routing do |set|
-        set.draw { get ':controller', :action => :index }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', :action => :index } }
 
         get "/render_template/with_layout"
 
diff --git a/actionpack/test/controller/new_base/render_test.rb b/actionpack/test/controller/new_base/render_test.rb
index 963f2c2f5c..1fb852a2c4 100644
--- a/actionpack/test/controller/new_base/render_test.rb
+++ b/actionpack/test/controller/new_base/render_test.rb
@@ -57,7 +57,9 @@ module Render
     test "render with blank" do
       with_routing do |set|
         set.draw do
-          get ":controller", :action => 'index'
+          ActiveSupport::Deprecation.silence do
+            get ":controller", :action => 'index'
+          end
         end
 
         get "/render/blank_render"
@@ -70,7 +72,9 @@ module Render
     test "rendering more than once raises an exception" do
       with_routing do |set|
         set.draw do
-          get ":controller", :action => 'index'
+          ActiveSupport::Deprecation.silence do
+            get ":controller", :action => 'index'
+          end
         end
 
         assert_raises(AbstractController::DoubleRenderError) do
diff --git a/actionpack/test/controller/new_base/render_text_test.rb b/actionpack/test/controller/new_base/render_text_test.rb
index 048458178c..d4111d432c 100644
--- a/actionpack/test/controller/new_base/render_text_test.rb
+++ b/actionpack/test/controller/new_base/render_text_test.rb
@@ -83,7 +83,7 @@ module RenderText
 
     test "rendering text from an action with default options renders the text with the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         ActiveSupport::Deprecation.silence do
           get "/render_text/simple"
@@ -96,7 +96,7 @@ module RenderText
 
     test "rendering text from an action with default options renders the text without the layout" do
       with_routing do |set|
-        set.draw { get ':controller', action: 'index' }
+        set.draw { ActiveSupport::Deprecation.silence { get ':controller', action: 'index' } }
 
         ActiveSupport::Deprecation.silence do
           get "/render_text/with_layout"
author	Andrew White <andrew.white@unboxedconsulting.com>	2016-03-01 08:48:53 +0000
committer	Andrew White <andrew.white@unboxedconsulting.com>	2016-03-01 08:48:53 +0000
commit	6520ea5f7e2215a763ca74bf6cfa87be2347d5df (patch)
tree	4943801777acd80bd9a3f9eca812f2373ce7008b /actionpack/test/controller/new_base
parent	1d3502c32e5553d3e9e73cb7d38db0c1d6427aaf (diff)
download	rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.gz rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.tar.bz2 rails-6520ea5f7e2215a763ca74bf6cfa87be2347d5df.zip