diff options
author | Andrew White <andyw@pixeltrix.co.uk> | 2015-11-27 13:46:46 +0000 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-22 15:00:50 -0800 |
commit | 0fde6f554b75b13b0435dd70f1c3ec02bc209e0d (patch) | |
tree | 5fe0ba60d184911371863d299da9ba19149936dd /activerecord/lib | |
parent | 51313c21a63c3ed47ba20df3ad7f26a45d5bf684 (diff) | |
download | rails-0fde6f554b75b13b0435dd70f1c3ec02bc209e0d.tar.gz rails-0fde6f554b75b13b0435dd70f1c3ec02bc209e0d.tar.bz2 rails-0fde6f554b75b13b0435dd70f1c3ec02bc209e0d.zip |
Don't short-circuit reject_if proc
When updating an associated record via nested attribute hashes the
reject_if proc could be bypassed if the _destroy flag was set in the
attribute hash and allow_destroy was set to false.
The fix is to only short-circuit if the _destroy flag is set and the
option allow_destroy is set to true. It also fixes an issue where
a new record wasn't created if _destroy was set and the option
allow_destroy was set to false.
CVE-2015-7577
Diffstat (limited to 'activerecord/lib')
-rw-r--r-- | activerecord/lib/active_record/nested_attributes.rb | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/activerecord/lib/active_record/nested_attributes.rb b/activerecord/lib/active_record/nested_attributes.rb index c5a1488588..0d5a8e6f25 100644 --- a/activerecord/lib/active_record/nested_attributes.rb +++ b/activerecord/lib/active_record/nested_attributes.rb @@ -542,7 +542,7 @@ module ActiveRecord # has_destroy_flag? or if a <tt>:reject_if</tt> proc exists for this # association and evaluates to +true+. def reject_new_record?(association_name, attributes) - has_destroy_flag?(attributes) || call_reject_if(association_name, attributes) + will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) end # Determines if a record with the particular +attributes+ should be @@ -551,7 +551,8 @@ module ActiveRecord # # Returns false if there is a +destroy_flag+ on the attributes. def call_reject_if(association_name, attributes) - return false if has_destroy_flag?(attributes) + return false if will_be_destroyed?(association_name, attributes) + case callback = self.nested_attributes_options[association_name][:reject_if] when Symbol method(callback).arity == 0 ? send(callback) : send(callback, attributes) @@ -560,6 +561,15 @@ module ActiveRecord end end + # Only take into account the destroy flag if <tt>:allow_destroy</tt> is true + def will_be_destroyed?(association_name, attributes) + allow_destroy?(association_name) && has_destroy_flag?(attributes) + end + + def allow_destroy?(association_name) + self.nested_attributes_options[association_name][:allow_destroy] + end + def raise_nested_attributes_record_not_found!(association_name, record_id) model = self.class._reflect_on_association(association_name).klass.name raise RecordNotFound.new("Couldn't find #{model} with ID=#{record_id} for #{self.class.name} with ID=#{id}", |