Don't allow `where` with non numeric string matches to 0 values

This is a follow-up of #35310.

Currently `Topic.find_by(id: "not-a-number")` matches to a `id = 0`
record. That is considered as silently leaking information.

If non numeric string is given to find by an integer column, it should
not be matched to any record.

Related #12793.

1 files changed, 5 insertions, 2 deletions

diff --git a/activemodel/lib/active_model/type/helpers/numeric.rb b/activemodel/lib/active_model/type/helpers/numeric.rb
index 444847a210..1d8171e25b 100644
--- a/activemodel/lib/active_model/type/helpers/numeric.rb
+++ b/activemodel/lib/active_model/type/helpers/numeric.rb
@@ -26,15 +26,18 @@ module ActiveModel
         private
 
           def number_to_non_number?(old_value, new_value_before_type_cast)
-            old_value != nil && non_numeric_string?(new_value_before_type_cast)
+            old_value != nil && non_numeric_string?(new_value_before_type_cast.to_s)
           end
 
           def non_numeric_string?(value)
             # 'wibble'.to_i will give zero, we want to make sure
             # that we aren't marking int zero to string zero as
             # changed.
-            !/\A[-+]?\d+/.match?(value.to_s)
+            !NUMERIC_REGEX.match?(value)
           end
+
+          NUMERIC_REGEX = /\A\s*[+-]?\d/
+          private_constant :NUMERIC_REGEX
       end
     end
   end