diff options
author | Arthur Neves <arthurnn@gmail.com> | 2016-02-02 12:34:11 -0500 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-02-29 15:39:12 -0300 |
commit | 769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9 (patch) | |
tree | edda5caad1c6f069d2445f9243cd79833243f329 /actionpack/test/template/render_test.rb | |
parent | af9b9132f82d1f468836997c716a02f14e61c38c (diff) | |
download | rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.tar.gz rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.tar.bz2 rails-769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9.zip |
Don't allow render(params) in view/controller
`render(params)` is dangerous and could be a vector for attackers.
Don't allow calls to render passing params on views or controllers.
On a controller or view, we should not allow something like `render
params[:id]` or `render params`.
That could be problematic, because an attacker could pass input that
could lead to a remote code execution attack.
This patch is also compatible when using strong parameters.
CVE-2016-2098
Diffstat (limited to 'actionpack/test/template/render_test.rb')
-rw-r--r-- | actionpack/test/template/render_test.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/actionpack/test/template/render_test.rb b/actionpack/test/template/render_test.rb index f207ad731f..2d0466585f 100644 --- a/actionpack/test/template/render_test.rb +++ b/actionpack/test/template/render_test.rb @@ -133,6 +133,33 @@ module RenderTestCases end end + def test_render_with_params + params = { :inline => '<%= RUBY_VERSION %>' }.with_indifferent_access + assert_raises ArgumentError do + @view.render(params) + end + end + + def test_render_with_strong_parameters + # compatibility with Strong Parameters gem + params = Class.new(HashWithIndifferentAccess).new + params[:inline] = '<%= RUBY_VERSION %>' + e = assert_raises ArgumentError do + @view.render(params) + end + assert_equal "render parameters are not permitted", e.message + end + + def test_render_with_permitted_strong_parameters + # compatibility with Strong Parameters gem + params = Class.new(HashWithIndifferentAccess).new + params[:inline] = "<%= 'hello' %>" + def params.permitted? + true + end + assert_equal 'hello', @view.render(params) + end + def test_render_partial assert_equal "only partial", @view.render(:partial => "test/partial_only") end |