Don't allow `where` with non numeric string matches to 0 values

This is a follow-up of #35310.

Currently `Topic.find_by(id: "not-a-number")` matches to a `id = 0`
record. That is considered as silently leaking information.

If non numeric string is given to find by an integer column, it should
not be matched to any record.

Related #12793.

2 files changed, 6 insertions, 1 deletions

diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 8f626156a2..99a76b5b94 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Don't allow `where` with non numeric string matches to 0 values.
+
+    *Ryuta Kamizono*
+
 *   Introduce `ActiveRecord::Relation#destroy_by` and `ActiveRecord::Relation#delete_by`.
 
     `destroy_by` allows relation to find all the records matching the condition and perform
diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
index bec204643b..5c729e68cd 100644
--- a/activerecord/test/cases/relation/where_test.rb
+++ b/activerecord/test/cases/relation/where_test.rb
@@ -51,8 +51,9 @@ module ActiveRecord
     end
 
     def test_where_with_invalid_value
-      topics(:first).update!(written_on: nil, bonus_time: nil, last_read: nil)
+      topics(:first).update!(parent_id: 0, written_on: nil, bonus_time: nil, last_read: nil)
       assert_empty Topic.where(parent_id: Object.new)
+      assert_empty Topic.where(parent_id: "not-a-number")
       assert_empty Topic.where(written_on: "")
       assert_empty Topic.where(bonus_time: "")
       assert_empty Topic.where(last_read: "")