Check attributes passed to create_with and where

If the request parameters are passed to create_with and where they can
be used to do mass assignment when used in combination with
Relation#create.

Fixes CVE-2014-3514

Conflicts:
	activerecord/lib/active_record/relation/query_methods.rb

1 files changed, 30 insertions, 0 deletions

diff --git a/activerecord/test/cases/forbidden_attributes_protection_test.rb b/activerecord/test/cases/forbidden_attributes_protection_test.rb
index 981a75faf6..f4e7646f03 100644
--- a/activerecord/test/cases/forbidden_attributes_protection_test.rb
+++ b/activerecord/test/cases/forbidden_attributes_protection_test.rb
@@ -66,4 +66,34 @@ class ForbiddenAttributesProtectionTest < ActiveRecord::TestCase
     person = Person.new
     assert_nil person.assign_attributes(ProtectedParams.new({}))
   end
+
+  def test_create_with_checks_permitted
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Person.create_with(params).create!
+    end
+  end
+
+  def test_create_with_works_with_params_values
+    params = ProtectedParams.new(first_name: 'Guille')
+
+    person = Person.create_with(first_name: params[:first_name]).create!
+    assert_equal 'Guille', person.first_name
+  end
+
+  def test_where_checks_permitted
+    params = ProtectedParams.new(first_name: 'Guille', gender: 'm')
+
+    assert_raises(ActiveModel::ForbiddenAttributesError) do
+      Person.where(params).create!
+    end
+  end
+
+  def test_where_works_with_params_values
+    params = ProtectedParams.new(first_name: 'Guille')
+
+    person = Person.where(first_name: params[:first_name]).create!
+    assert_equal 'Guille', person.first_name
+  end
 end