diff options
author | Jeremy Kemper <jeremykemper@gmail.com> | 2014-08-19 11:31:38 -0700 |
---|---|---|
committer | Jeremy Kemper <jeremykemper@gmail.com> | 2014-08-19 11:31:38 -0700 |
commit | 4d1d81d33804449b19f34643b4ed396a5da02edc (patch) | |
tree | 3d9f1976e507484487da69cfb34c2034a975915e /actionpack/test/controller/parameters/mutators_test.rb | |
parent | cc160fed001c57dfae03b107120d35a7f9826862 (diff) | |
parent | 3fcbbc8a1c7aec94aa325fd583ead92a7cd291b6 (diff) | |
download | rails-4d1d81d33804449b19f34643b4ed396a5da02edc.tar.gz rails-4d1d81d33804449b19f34643b4ed396a5da02edc.tar.bz2 rails-4d1d81d33804449b19f34643b4ed396a5da02edc.zip |
Merge pull request #16299 from sikachu/ps-safer-ac-params
Update `ActionController::Parameters` to be more secure on parameters handling
Diffstat (limited to 'actionpack/test/controller/parameters/mutators_test.rb')
-rw-r--r-- | actionpack/test/controller/parameters/mutators_test.rb | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/actionpack/test/controller/parameters/mutators_test.rb b/actionpack/test/controller/parameters/mutators_test.rb new file mode 100644 index 0000000000..744d8664be --- /dev/null +++ b/actionpack/test/controller/parameters/mutators_test.rb @@ -0,0 +1,99 @@ +require 'abstract_unit' +require 'action_controller/metal/strong_parameters' +require 'active_support/core_ext/hash/transform_values' + +class ParametersMutatorsTest < ActiveSupport::TestCase + setup do + @params = ActionController::Parameters.new( + person: { + age: '32', + name: { + first: 'David', + last: 'Heinemeier Hansson' + }, + addresses: [{city: 'Chicago', state: 'Illinois'}] + } + ) + end + + test "delete retains permitted status" do + @params.permit! + assert @params.delete(:person).permitted? + end + + test "delete retains unpermitted status" do + assert_not @params.delete(:person).permitted? + end + + test "delete_if retains permitted status" do + @params.permit! + assert @params.delete_if { |k| k == "person" }.permitted? + end + + test "delete_if retains unpermitted status" do + assert_not @params.delete_if { |k| k == "person" }.permitted? + end + + test "extract! retains permitted status" do + @params.permit! + assert @params.extract!(:person).permitted? + end + + test "extract! retains unpermitted status" do + assert_not @params.extract!(:person).permitted? + end + + test "keep_if retains permitted status" do + @params.permit! + assert @params.keep_if { |k,v| k == "person" }.permitted? + end + + test "keep_if retains unpermitted status" do + assert_not @params.keep_if { |k,v| k == "person" }.permitted? + end + + test "reject! retains permitted status" do + @params.permit! + assert @params.reject! { |k| k == "person" }.permitted? + end + + test "reject! retains unpermitted status" do + assert_not @params.reject! { |k| k == "person" }.permitted? + end + + test "select! retains permitted status" do + @params.permit! + assert @params.select! { |k| k != "person" }.permitted? + end + + test "select! retains unpermitted status" do + assert_not @params.select! { |k| k != "person" }.permitted? + end + + test "slice! retains permitted status" do + @params.permit! + assert @params.slice!(:person).permitted? + end + + test "slice! retains unpermitted status" do + assert_not @params.slice!(:person).permitted? + end + + test "transform_keys! retains permitted status" do + @params.permit! + assert @params.transform_keys! { |k| k }.permitted? + end + + test "transform_keys! retains unpermitted status" do + assert_not @params.transform_keys! { |k| k }.permitted? + end + + test "transform_values! retains permitted status" do + @params.permit! + assert @params.transform_values! { |v| v }.permitted? + end + + test "transform_values! retains unpermitted status" do + assert_not @params.transform_values! { |v| v }.permitted? + end +end |