Merge pull request #35236 from renuo/fix-30467

Prohibit sneaky custom params from being drawn (Fix #30467)
author: Rafael França <rafaelmfranca@gmail.com> 2019-03-27 16:31:16 -0400
committer: GitHub <noreply@github.com> 2019-03-27 16:31:16 -0400
commit: 93dbbe3a81bee6da2f1e88ca6971299b462cad93 (patch)
tree: f2e207eac70d70ee375fc69db7c7b03fd133a729 /actionpack
parent: 3a0929901ffa852bab9644c662b811d42780c3a1 (diff)
parent: 25f2e0c39da2b9c61db75df2d767ee9c10d583b8 (diff)
download: rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.gz
rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.bz2
rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.zip
3 files changed, 29 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 2df6f5fc09..9931a0de81 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,18 @@
+*   Raise an `ArgumentError` if a resource custom param contains a colon (`:`).
+
+    After this change it's not possible anymore to configure routes like this:
+
+    ```
+    routes.draw do
+      resources :users, param: 'name/:sneaky'
+    end
+    ```
+
+    Fixes #30467.
+
+    *Josua Schmid*
+
+
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
 *   No changes.
diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index da3ade652e..2d2073de9a 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1141,6 +1141,10 @@ module ActionDispatch
           attr_reader :controller, :path, :param
 
           def initialize(entities, api_only, shallow, options = {})
+            if options[:param].to_s.include?(":")
+              raise ArgumentError, ":param option can't contain colons"
+            end
+
             @name       = entities.to_s
             @path       = (options[:path] || @name).to_s
             @controller = (options[:controller] || @name).to_s
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index 897d17885e..7b763ec2bd 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -3338,6 +3338,16 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
     assert_equal "0c0c0b68-d24b-11e1-a861-001ff3fffe6f", @request.params[:download]
   end
 
+  def test_colon_containing_custom_param
+    ex = assert_raises(ArgumentError) {
+      draw do
+        resources :profiles, param: "username/:is_admin"
+      end
+    }
+
+    assert_match(/:param option can't contain colon/, ex.message)
+  end
+
   def test_action_from_path_is_not_frozen
     draw do
       get "search" => "search"
author	Rafael França <rafaelmfranca@gmail.com>	2019-03-27 16:31:16 -0400
committer	GitHub <noreply@github.com>	2019-03-27 16:31:16 -0400
commit	93dbbe3a81bee6da2f1e88ca6971299b462cad93 (patch)
tree	f2e207eac70d70ee375fc69db7c7b03fd133a729 /actionpack
parent	3a0929901ffa852bab9644c662b811d42780c3a1 (diff)
parent	25f2e0c39da2b9c61db75df2d767ee9c10d583b8 (diff)
download	rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.gz rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.tar.bz2 rails-93dbbe3a81bee6da2f1e88ca6971299b462cad93.zip