diff options
| author | Ryuta Kamizono <kamipo@gmail.com> | 2019-02-18 15:27:23 +0900 |
|---|---|---|
| committer | Ryuta Kamizono <kamipo@gmail.com> | 2019-02-18 16:57:10 +0900 |
| commit | b09d8f6bb3a23cd907d084103fb5b4c02479a39b (patch) | |
| tree | 150e5356911c2cb1e4576a9190d1269e268f7145 /activerecord | |
| parent | 4ea067017ae52d4a74335ed85df085a86663d213 (diff) | |
| download | rails-b09d8f6bb3a23cd907d084103fb5b4c02479a39b.tar.gz rails-b09d8f6bb3a23cd907d084103fb5b4c02479a39b.tar.bz2 rails-b09d8f6bb3a23cd907d084103fb5b4c02479a39b.zip | |
Don't allow `where` with invalid value matches to nil values
That is considered as silently leaking information.
If type casting doesn't return any actual value, it should not be
matched to any record.
Fixes #33624.
Closes #33946.
Diffstat (limited to 'activerecord')
| -rw-r--r-- | activerecord/CHANGELOG.md | 6 | ||||
| -rw-r--r-- | activerecord/lib/active_record/relation/query_attribute.rb | 6 | ||||
| -rw-r--r-- | activerecord/test/cases/adapters/postgresql/uuid_test.rb | 6 | ||||
| -rw-r--r-- | activerecord/test/cases/relation/where_test.rb | 8 |
4 files changed, 22 insertions, 4 deletions
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 8d8aa89368..c1ce01c312 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,9 @@ +* Don't allow `where` with invalid value matches to nil values. + + Fixes #33624. + + *Ryuta Kamizono* + * SQLite3: Implement `add_foreign_key` and `remove_foreign_key`. *Ryuta Kamizono* diff --git a/activerecord/lib/active_record/relation/query_attribute.rb b/activerecord/lib/active_record/relation/query_attribute.rb index 1dd6462d8d..cd18f27330 100644 --- a/activerecord/lib/active_record/relation/query_attribute.rb +++ b/activerecord/lib/active_record/relation/query_attribute.rb @@ -18,8 +18,10 @@ module ActiveRecord end def nil? - !value_before_type_cast.is_a?(StatementCache::Substitute) && - (value_before_type_cast.nil? || value_for_database.nil?) + unless value_before_type_cast.is_a?(StatementCache::Substitute) + value_before_type_cast.nil? || + type.respond_to?(:subtype, true) && value_for_database.nil? + end rescue ::RangeError end diff --git a/activerecord/test/cases/adapters/postgresql/uuid_test.rb b/activerecord/test/cases/adapters/postgresql/uuid_test.rb index 9912763c1b..6591d50d06 100644 --- a/activerecord/test/cases/adapters/postgresql/uuid_test.rb +++ b/activerecord/test/cases/adapters/postgresql/uuid_test.rb @@ -114,6 +114,12 @@ class PostgresqlUUIDTest < ActiveRecord::PostgreSQLTestCase assert_equal "foobar", uuid.guid_before_type_cast end + def test_invalid_uuid_dont_match_to_nil + UUIDType.create! + assert_empty UUIDType.where(guid: "") + assert_empty UUIDType.where(guid: "foobar") + end + def test_acceptable_uuid_regex # Valid uuids ["A0EEBC99-9C0B-4EF8-BB6D-6BB9BD380A11", diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb index d49ed092b2..bec204643b 100644 --- a/activerecord/test/cases/relation/where_test.rb +++ b/activerecord/test/cases/relation/where_test.rb @@ -50,8 +50,12 @@ module ActiveRecord assert_equal [chef], chefs.to_a end - def test_where_with_casted_value_is_nil - assert_equal 4, Topic.where(last_read: "").count + def test_where_with_invalid_value + topics(:first).update!(written_on: nil, bonus_time: nil, last_read: nil) + assert_empty Topic.where(parent_id: Object.new) + assert_empty Topic.where(written_on: "") + assert_empty Topic.where(bonus_time: "") + assert_empty Topic.where(last_read: "") end def test_rewhere_on_root |