diff options
| author | Rafael França <rafaelmfranca@gmail.com> | 2016-01-07 05:13:07 -0200 |
|---|---|---|
| committer | Rafael França <rafaelmfranca@gmail.com> | 2016-01-07 05:13:07 -0200 |
| commit | 21dd85f1ee0fb26007e5773226de3df07cbcfe39 (patch) | |
| tree | c885552f696bb37db39ad1378d5cac4d78486e3d /actionpack | |
| parent | 2674f8043ff610769d12eccd6ac9902345c336b7 (diff) | |
| parent | a31078556a82ded9cb13c71727e146bb716a17ec (diff) | |
| download | rails-21dd85f1ee0fb26007e5773226de3df07cbcfe39.tar.gz rails-21dd85f1ee0fb26007e5773226de3df07cbcfe39.tar.bz2 rails-21dd85f1ee0fb26007e5773226de3df07cbcfe39.zip | |
Merge pull request #22903 from prathamesh-sonpatki/allow-ac-parameters-hash-as-an-argument-to-routes
Allow AC::Parameters as an argument to url_helpers
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG.md | 8 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/routing/route_set.rb | 13 | ||||
| -rw-r--r-- | actionpack/test/dispatch/routing_test.rb | 21 |
3 files changed, 40 insertions, 2 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 39ac98fd63..0a5da2a94e 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,11 @@ +* Allow `ActionController::Parameters` instances as an argument to URL + helper methods. An `ArguemntError` will be raised if the passed parameters + are not secure. + + Fixes #22832 + + *Prathamesh Sonpatki* + * Add option for per-form CSRF tokens. *Ben Toews* diff --git a/actionpack/lib/action_dispatch/routing/route_set.rb b/actionpack/lib/action_dispatch/routing/route_set.rb index 2bd2e53252..846b5fa1fc 100644 --- a/actionpack/lib/action_dispatch/routing/route_set.rb +++ b/actionpack/lib/action_dispatch/routing/route_set.rb @@ -281,8 +281,17 @@ module ActionDispatch helper = UrlHelper.create(route, opts, route_key, url_strategy) mod.module_eval do define_method(name) do |*args| - options = nil - options = args.pop if args.last.is_a? Hash + last = args.last + options = case last + when Hash + args.pop + when ActionController::Parameters + if last.permitted? + args.pop.to_h + else + raise ArgumentError, "Generating an URL from non sanitized request parameters is insecure!" + end + end helper.call self, args, options end end diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb index 82222a141c..62d65ec5c0 100644 --- a/actionpack/test/dispatch/routing_test.rb +++ b/actionpack/test/dispatch/routing_test.rb @@ -3578,6 +3578,27 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest assert_equal 'HEAD', @response.body end + def test_passing_action_parameters_to_url_helpers_raises_error_if_parameters_are_not_permitted + draw do + root :to => 'projects#index' + end + params = ActionController::Parameters.new(id: '1') + + assert_raises ArgumentError do + root_path(params) + end + end + + def test_passing_action_parameters_to_url_helpers_is_allowed_if_parameters_are_permitted + draw do + root :to => 'projects#index' + end + params = ActionController::Parameters.new(id: '1') + params.permit! + + assert_equal '/?id=1', root_path(params) + end + private def draw(&block) |