diff options
author | Ryuta Kamizono <kamipo@gmail.com> | 2019-02-20 20:55:09 +0900 |
---|---|---|
committer | Ryuta Kamizono <kamipo@gmail.com> | 2019-02-20 22:00:56 +0900 |
commit | 357cd23d3aedabb99fd70b812ffcea2d1cc9893d (patch) | |
tree | d4a21b7e618b2d4b71d0534ce180eac9040a4bd5 /activemodel/lib/active_model/type/helpers/numeric.rb | |
parent | df2ebf9b59b8ef063923136ba7097328db6c949f (diff) | |
download | rails-357cd23d3aedabb99fd70b812ffcea2d1cc9893d.tar.gz rails-357cd23d3aedabb99fd70b812ffcea2d1cc9893d.tar.bz2 rails-357cd23d3aedabb99fd70b812ffcea2d1cc9893d.zip |
Don't allow `where` with non numeric string matches to 0 values
This is a follow-up of #35310.
Currently `Topic.find_by(id: "not-a-number")` matches to a `id = 0`
record. That is considered as silently leaking information.
If non numeric string is given to find by an integer column, it should
not be matched to any record.
Related #12793.
Diffstat (limited to 'activemodel/lib/active_model/type/helpers/numeric.rb')
-rw-r--r-- | activemodel/lib/active_model/type/helpers/numeric.rb | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/activemodel/lib/active_model/type/helpers/numeric.rb b/activemodel/lib/active_model/type/helpers/numeric.rb index 444847a210..1d8171e25b 100644 --- a/activemodel/lib/active_model/type/helpers/numeric.rb +++ b/activemodel/lib/active_model/type/helpers/numeric.rb @@ -26,15 +26,18 @@ module ActiveModel private def number_to_non_number?(old_value, new_value_before_type_cast) - old_value != nil && non_numeric_string?(new_value_before_type_cast) + old_value != nil && non_numeric_string?(new_value_before_type_cast.to_s) end def non_numeric_string?(value) # 'wibble'.to_i will give zero, we want to make sure # that we aren't marking int zero to string zero as # changed. - !/\A[-+]?\d+/.match?(value.to_s) + !NUMERIC_REGEX.match?(value) end + + NUMERIC_REGEX = /\A\s*[+-]?\d/ + private_constant :NUMERIC_REGEX end end end |