10 files changed, 393 insertions, 183 deletions

diff --git a/actionpack/test/controller/parameters/accessors_test.rb b/actionpack/test/controller/parameters/accessors_test.rb
index bd43ff7697..2893eb7b91 100644
--- a/actionpack/test/controller/parameters/accessors_test.rb
+++ b/actionpack/test/controller/parameters/accessors_test.rb
@@ -1,17 +1,19 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
-require 'active_support/core_ext/hash/transform_values'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
+require "active_support/core_ext/hash/transform_values"
 
 class ParametersAccessorsTest < ActiveSupport::TestCase
   setup do
+    ActionController::Parameters.permit_all_parameters = false
+
     @params = ActionController::Parameters.new(
       person: {
-        age: '32',
+        age: "32",
         name: {
-          first: 'David',
-          last: 'Heinemeier Hansson'
+          first: "David",
+          last: "Heinemeier Hansson"
         },
-        addresses: [{city: 'Chicago', state: 'Illinois'}]
+        addresses: [{ city: "Chicago", state: "Illinois" }]
       }
     )
   end
@@ -129,9 +131,79 @@ class ParametersAccessorsTest < ActiveSupport::TestCase
     assert_not @params[:person].values_at(:name).first.permitted?
   end
 
-  test "equality with another hash works" do
-    hash1 = { foo: :bar }
-    params1 = ActionController::Parameters.new(hash1)
-    assert(params1 == hash1)
+  test "is equal to Parameters instance with same params" do
+    params1 = ActionController::Parameters.new(a: 1, b: 2)
+    params2 = ActionController::Parameters.new(a: 1, b: 2)
+    assert(params1 == params2)
+  end
+
+  test "is equal to Parameters instance with same permitted params" do
+    params1 = ActionController::Parameters.new(a: 1, b: 2).permit(:a)
+    params2 = ActionController::Parameters.new(a: 1, b: 2).permit(:a)
+    assert(params1 == params2)
+  end
+
+  test "is equal to Parameters instance with same different source params, but same permitted params" do
+    params1 = ActionController::Parameters.new(a: 1, b: 2).permit(:a)
+    params2 = ActionController::Parameters.new(a: 1, c: 3).permit(:a)
+    assert(params1 == params2)
+    assert(params2 == params1)
+  end
+
+  test "is not equal to an unpermitted Parameters instance with same params" do
+    params1 = ActionController::Parameters.new(a: 1).permit(:a)
+    params2 = ActionController::Parameters.new(a: 1)
+    assert(params1 != params2)
+    assert(params2 != params1)
+  end
+
+  test "is not equal to Parameters instance with different permitted params" do
+    params1 = ActionController::Parameters.new(a: 1, b: 2).permit(:a, :b)
+    params2 = ActionController::Parameters.new(a: 1, b: 2).permit(:a)
+    assert(params1 != params2)
+    assert(params2 != params1)
+  end
+
+  test "equality with simple types works" do
+    assert(@params != "Hello")
+    assert(@params != 42)
+    assert(@params != false)
+  end
+
+  test "inspect shows both class name, parameters and permitted flag" do
+    assert_equal(
+      '<ActionController::Parameters {"person"=>{"age"=>"32", '\
+        '"name"=>{"first"=>"David", "last"=>"Heinemeier Hansson"}, ' \
+        '"addresses"=>[{"city"=>"Chicago", "state"=>"Illinois"}]}} permitted: false>',
+      @params.inspect
+    )
+  end
+
+  test "inspect prints updated permitted flag in the output" do
+    assert_match(/permitted: false/, @params.inspect)
+
+    @params.permit!
+
+    assert_match(/permitted: true/, @params.inspect)
+  end
+
+  if Hash.method_defined?(:dig)
+    test "#dig delegates the dig method to its values" do
+      assert_equal "David", @params.dig(:person, :name, :first)
+      assert_equal "Chicago", @params.dig(:person, :addresses, 0, :city)
+    end
+
+    test "#dig converts hashes to parameters" do
+      assert_kind_of ActionController::Parameters, @params.dig(:person)
+      assert_kind_of ActionController::Parameters, @params.dig(:person, :addresses, 0)
+      assert @params.dig(:person, :addresses).all? do |value|
+        value.is_a?(ActionController::Parameters)
+      end
+    end
+  else
+    test "ActionController::Parameters does not respond to #dig on Ruby 2.2" do
+      assert_not ActionController::Parameters.method_defined?(:dig)
+      assert_not @params.respond_to?(:dig)
+    end
   end
 end
diff --git a/actionpack/test/controller/parameters/always_permitted_parameters_test.rb b/actionpack/test/controller/parameters/always_permitted_parameters_test.rb
index c5bfb10b53..cd7c98f112 100644
--- a/actionpack/test/controller/parameters/always_permitted_parameters_test.rb
+++ b/actionpack/test/controller/parameters/always_permitted_parameters_test.rb
@@ -1,5 +1,5 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
 
 class AlwaysPermittedParametersTest < ActiveSupport::TestCase
   def setup
@@ -19,10 +19,9 @@ class AlwaysPermittedParametersTest < ActiveSupport::TestCase
   end
 
   test "permits parameters that are whitelisted" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: { pages: 65 },
-      format: "json"
-    })
+      format: "json")
     permitted = params.permit book: [:pages]
     assert permitted.permitted?
   end
diff --git a/actionpack/test/controller/parameters/dup_test.rb b/actionpack/test/controller/parameters/dup_test.rb
new file mode 100644
index 0000000000..fb707a1354
--- /dev/null
+++ b/actionpack/test/controller/parameters/dup_test.rb
@@ -0,0 +1,65 @@
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
+require "active_support/core_ext/object/deep_dup"
+
+class ParametersDupTest < ActiveSupport::TestCase
+  setup do
+    ActionController::Parameters.permit_all_parameters = false
+
+    @params = ActionController::Parameters.new(
+      person: {
+        age: "32",
+        name: {
+          first: "David",
+          last: "Heinemeier Hansson"
+        },
+        addresses: [{ city: "Chicago", state: "Illinois" }]
+      }
+    )
+  end
+
+  test "a duplicate maintains the original's permitted status" do
+    @params.permit!
+    dupped_params = @params.dup
+    assert dupped_params.permitted?
+  end
+
+  test "a duplicate maintains the original's parameters" do
+    @params.permit!
+    dupped_params = @params.dup
+    assert_equal @params.to_h, dupped_params.to_h
+  end
+
+  test "changes to a duplicate's parameters do not affect the original" do
+    dupped_params = @params.dup
+    dupped_params.delete(:person)
+    assert_not_equal @params, dupped_params
+  end
+
+  test "changes to a duplicate's permitted status do not affect the original" do
+    dupped_params = @params.dup
+    dupped_params.permit!
+    assert_not_equal @params, dupped_params
+  end
+
+  test "deep_dup content" do
+    dupped_params = @params.deep_dup
+    dupped_params[:person][:age] = "45"
+    dupped_params[:person][:addresses].clear
+
+    assert_not_equal @params[:person][:age], dupped_params[:person][:age]
+    assert_not_equal @params[:person][:addresses], dupped_params[:person][:addresses]
+  end
+
+  test "deep_dup @permitted" do
+    dupped_params = @params.deep_dup
+    dupped_params.permit!
+
+    assert_not @params.permitted?
+  end
+
+  test "deep_dup @permitted is being copied" do
+    @params.permit!
+    assert @params.deep_dup.permitted?
+  end
+end
diff --git a/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb b/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb
index 9ce04b9aeb..c800c1d3df 100644
--- a/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb
+++ b/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb
@@ -1,5 +1,5 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
 
 class LogOnUnpermittedParamsTest < ActiveSupport::TestCase
   def setup
@@ -11,62 +11,58 @@ class LogOnUnpermittedParamsTest < ActiveSupport::TestCase
   end
 
   test "logs on unexpected param" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: { pages: 65 },
-      fishing: "Turnips"
-    })
+      fishing: "Turnips")
 
-    assert_logged("Unpermitted parameter: fishing") do
+    assert_logged("Unpermitted parameter: :fishing") do
       params.permit(book: [:pages])
     end
   end
 
   test "logs on unexpected params" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: { pages: 65 },
       fishing: "Turnips",
-      car: "Mersedes"
-    })
+      car: "Mersedes")
 
-    assert_logged("Unpermitted parameters: fishing, car") do
+    assert_logged("Unpermitted parameters: :fishing, :car") do
       params.permit(book: [:pages])
     end
   end
 
   test "logs on unexpected nested param" do
-    params = ActionController::Parameters.new({
-      book: { pages: 65, title: "Green Cats and where to find then." }
-    })
+    params = ActionController::Parameters.new(
+      book: { pages: 65, title: "Green Cats and where to find then." })
 
-    assert_logged("Unpermitted parameter: title") do
+    assert_logged("Unpermitted parameter: :title") do
       params.permit(book: [:pages])
     end
   end
 
   test "logs on unexpected nested params" do
-    params = ActionController::Parameters.new({
-      book: { pages: 65, title: "Green Cats and where to find then.", author: "G. A. Dog" }
-    })
+    params = ActionController::Parameters.new(
+      book: { pages: 65, title: "Green Cats and where to find then.", author: "G. A. Dog" })
 
-    assert_logged("Unpermitted parameters: title, author") do
+    assert_logged("Unpermitted parameters: :title, :author") do
       params.permit(book: [:pages])
     end
   end
 
   private
 
-  def assert_logged(message)
-    old_logger = ActionController::Base.logger
-    log = StringIO.new
-    ActionController::Base.logger = Logger.new(log)
+    def assert_logged(message)
+      old_logger = ActionController::Base.logger
+      log = StringIO.new
+      ActionController::Base.logger = Logger.new(log)
 
-    begin
-      yield
+      begin
+        yield
 
-      log.rewind
-      assert_match message, log.read
-    ensure
-      ActionController::Base.logger = old_logger
+        log.rewind
+        assert_match message, log.read
+      ensure
+        ActionController::Base.logger = old_logger
+      end
     end
-  end
 end
diff --git a/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb b/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb
index 15338059bc..88fb477c10 100644
--- a/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb
+++ b/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb
@@ -1,9 +1,9 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
 
 class MultiParameterAttributesTest < ActiveSupport::TestCase
   test "permitted multi-parameter attribute keys" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         "shipped_at(1i)"   => "2012",
         "shipped_at(2i)"   => "3",
@@ -15,8 +15,7 @@ class MultiParameterAttributesTest < ActiveSupport::TestCase
         "published_at(3i)" => "5",
         "price(1)"         => "R$",
         "price(2f)"        => "2.02"
-      }
-    })
+      })
 
     permitted = params.permit book: [ :shipped_at, :price ]
 
diff --git a/actionpack/test/controller/parameters/mutators_test.rb b/actionpack/test/controller/parameters/mutators_test.rb
index 744d8664be..e060e5180f 100644
--- a/actionpack/test/controller/parameters/mutators_test.rb
+++ b/actionpack/test/controller/parameters/mutators_test.rb
@@ -1,17 +1,17 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
-require 'active_support/core_ext/hash/transform_values'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
+require "active_support/core_ext/hash/transform_values"
 
 class ParametersMutatorsTest < ActiveSupport::TestCase
   setup do
     @params = ActionController::Parameters.new(
       person: {
-        age: '32',
+        age: "32",
         name: {
-          first: 'David',
-          last: 'Heinemeier Hansson'
+          first: "David",
+          last: "Heinemeier Hansson"
         },
-        addresses: [{city: 'Chicago', state: 'Illinois'}]
+        addresses: [{ city: "Chicago", state: "Illinois" }]
       }
     )
   end
diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_permit_test.rb
index 7151a8567c..5f86901e30 100644
--- a/actionpack/test/controller/parameters/nested_parameters_test.rb
+++ b/actionpack/test/controller/parameters/nested_parameters_permit_test.rb
@@ -1,13 +1,13 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
 
-class NestedParametersTest < ActiveSupport::TestCase
+class NestedParametersPermitTest < ActiveSupport::TestCase
   def assert_filtered_out(params, key)
     assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
   end
 
   test "permitted nested parameters" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         title: "Romeo and Juliet",
         authors: [{
@@ -23,11 +23,10 @@ class NestedParametersTest < ActiveSupport::TestCase
           genre: "Tragedy"
         },
         id: {
-          isbn: 'x'
+          isbn: "x"
         }
       },
-      magazine: "Mjallo!"
-    })
+      magazine: "Mjallo!")
 
     permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ]
 
@@ -45,74 +44,69 @@ class NestedParametersTest < ActiveSupport::TestCase
   end
 
   test "permitted nested parameters with a string or a symbol as a key" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
-        'authors' => [
-          { name: 'William Shakespeare', born: '1564-04-26' },
-          { name: 'Christopher Marlowe' }
+        "authors" => [
+          { name: "William Shakespeare", born: "1564-04-26" },
+          { name: "Christopher Marlowe" }
         ]
-      }
-    })
+      })
 
-    permitted = params.permit book: [ { 'authors' => [ :name ] } ]
+    permitted = params.permit book: [ { "authors" => [ :name ] } ]
 
-    assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name]
-    assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name]
-    assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name]
-    assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name]
+    assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
 
     permitted = params.permit book: [ { authors: [ :name ] } ]
 
-    assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name]
-    assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name]
-    assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name]
-    assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name]
+    assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
   end
 
   test "nested arrays with strings" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         genres: ["Tragedy"]
-      }
-    })
+      })
 
-    permitted = params.permit book: {genres: []}
+    permitted = params.permit book: { genres: [] }
     assert_equal ["Tragedy"], permitted[:book][:genres]
   end
 
   test "permit may specify symbols or strings" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         title: "Romeo and Juliet",
         author: "William Shakespeare"
       },
-      magazine: "Shakespeare Today"
-    })
+      magazine: "Shakespeare Today")
 
-    permitted = params.permit({book: ["title", :author]}, "magazine")
+    permitted = params.permit({ book: ["title", :author] }, "magazine")
     assert_equal "Romeo and Juliet", permitted[:book][:title]
     assert_equal "William Shakespeare", permitted[:book][:author]
     assert_equal "Shakespeare Today", permitted[:magazine]
   end
 
   test "nested array with strings that should be hashes" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         genres: ["Tragedy"]
-      }
-    })
+      })
 
     permitted = params.permit book: { genres: :type }
     assert_empty permitted[:book][:genres]
   end
 
   test "nested array with strings that should be hashes and additional values" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         title: "Romeo and Juliet",
         genres: ["Tragedy"]
-      }
-    })
+      })
 
     permitted = params.permit book: [ :title, { genres: :type } ]
     assert_equal "Romeo and Juliet", permitted[:book][:title]
@@ -120,66 +114,62 @@ class NestedParametersTest < ActiveSupport::TestCase
   end
 
   test "nested string that should be a hash" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         genre: "Tragedy"
-      }
-    })
+      })
 
     permitted = params.permit book: { genre: :type }
     assert_nil permitted[:book][:genre]
   end
 
   test "fields_for-style nested params" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         authors_attributes: {
-          :'0' => { name: 'William Shakespeare', age_of_death: '52' },
-          :'1' => { name: 'Unattributed Assistant' },
-          :'2' => { name: %w(injected names) }
+          '0': { name: "William Shakespeare", age_of_death: "52" },
+          '1': { name: "Unattributed Assistant" },
+          '2': { name: %w(injected names) }
         }
-      }
-    })
+      })
     permitted = params.permit book: { authors_attributes: [ :name ] }
 
-    assert_not_nil permitted[:book][:authors_attributes]['0']
-    assert_not_nil permitted[:book][:authors_attributes]['1']
-    assert_empty permitted[:book][:authors_attributes]['2']
-    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
-    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+    assert_not_nil permitted[:book][:authors_attributes]["0"]
+    assert_not_nil permitted[:book][:authors_attributes]["1"]
+    assert_empty permitted[:book][:authors_attributes]["2"]
+    assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["0"][:name]
+    assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["1"][:name]
 
-    assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death
+    assert_filtered_out permitted[:book][:authors_attributes]["0"], :age_of_death
   end
 
   test "fields_for-style nested params with negative numbers" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: {
         authors_attributes: {
-          :'-1' => { name: 'William Shakespeare', age_of_death: '52' },
-          :'-2' => { name: 'Unattributed Assistant' }
+          '-1': { name: "William Shakespeare", age_of_death: "52" },
+          '-2': { name: "Unattributed Assistant" }
         }
-      }
-    })
+      })
     permitted = params.permit book: { authors_attributes: [:name] }
 
-    assert_not_nil permitted[:book][:authors_attributes]['-1']
-    assert_not_nil permitted[:book][:authors_attributes]['-2']
-    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
-    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+    assert_not_nil permitted[:book][:authors_attributes]["-1"]
+    assert_not_nil permitted[:book][:authors_attributes]["-2"]
+    assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["-1"][:name]
+    assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["-2"][:name]
 
-    assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
+    assert_filtered_out permitted[:book][:authors_attributes]["-1"], :age_of_death
   end
 
   test "nested number as key" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       product: {
         properties: {
-          '0' => "prop0",
-          '1' => "prop1"
+          "0" => "prop0",
+          "1" => "prop1"
         }
-      }
-    })
-    params = params.require(:product).permit(:properties => ["0"])
+      })
+    params = params.require(:product).permit(properties: ["0"])
     assert_not_nil        params[:properties]["0"]
     assert_nil            params[:properties]["1"]
     assert_equal "prop0", params[:properties]["0"]
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index 3299f2d9d0..728d8e1279 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -1,6 +1,6 @@
-require 'abstract_unit'
-require 'action_dispatch/http/upload'
-require 'action_controller/metal/strong_parameters'
+require "abstract_unit"
+require "action_dispatch/http/upload"
+require "action_controller/metal/strong_parameters"
 
 class ParametersPermitTest < ActiveSupport::TestCase
   def assert_filtered_out(params, key)
@@ -10,32 +10,53 @@ class ParametersPermitTest < ActiveSupport::TestCase
   setup do
     @params = ActionController::Parameters.new(
       person: {
-        age: '32',
+        age: "32",
         name: {
-          first: 'David',
-          last: 'Heinemeier Hansson'
+          first: "David",
+          last: "Heinemeier Hansson"
         },
-        addresses: [{city: 'Chicago', state: 'Illinois'}]
+        addresses: [{ city: "Chicago", state: "Illinois" }]
       }
     )
 
     @struct_fields = []
     %w(0 1 12).each do |number|
-      ['', 'i', 'f'].each do |suffix|
+      ["", "i", "f"].each do |suffix|
         @struct_fields << "sf(#{number}#{suffix})"
       end
     end
   end
 
-  test 'if nothing is permitted, the hash becomes empty' do
-    params = ActionController::Parameters.new(id: '1234')
+  def walk_permitted(params)
+    params.each do |k,v|
+      case v
+      when ActionController::Parameters
+        walk_permitted v
+      when Array
+        v.each { |x| walk_permitted v }
+      end
+    end
+  end
+
+  test "iteration should not impact permit" do
+    hash = { "foo"=>{ "bar"=>{ "0"=>{ "baz"=>"hello", "zot"=>"1" } } } }
+    params = ActionController::Parameters.new(hash)
+
+    walk_permitted params
+
+    sanitized = params[:foo].permit(bar: [:baz])
+    assert_equal({ "0"=>{ "baz"=>"hello" } }, sanitized[:bar].to_unsafe_h)
+  end
+
+  test "if nothing is permitted, the hash becomes empty" do
+    params = ActionController::Parameters.new(id: "1234")
     permitted = params.permit
     assert permitted.permitted?
     assert permitted.empty?
   end
 
-  test 'key: permitted scalar values' do
-    values  = ['a', :a, nil]
+  test "key: permitted scalar values" do
+    values  = ["a", :a, nil]
     values += [0, 1.0, 2**128, BigDecimal.new(1)]
     values += [true, false]
     values += [Date.today, Time.now, DateTime.now]
@@ -55,15 +76,15 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end
   end
 
-  test 'key: unknown keys are filtered out' do
-    params = ActionController::Parameters.new(id: '1234', injected: 'injected')
+  test "key: unknown keys are filtered out" do
+    params = ActionController::Parameters.new(id: "1234", injected: "injected")
     permitted = params.permit(:id)
-    assert_equal '1234', permitted[:id]
+    assert_equal "1234", permitted[:id]
     assert_filtered_out permitted, :injected
   end
 
-  test 'key: arrays are filtered out' do
-    [[], [1], ['1']].each do |array|
+  test "key: arrays are filtered out" do
+    [[], [1], ["1"]].each do |array|
       params = ActionController::Parameters.new(id: array)
       permitted = params.permit(:id)
       assert_filtered_out permitted, :id
@@ -76,8 +97,8 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end
   end
 
-  test 'key: hashes are filtered out' do
-    [{}, {foo: 1}, {foo: 'bar'}].each do |hash|
+  test "key: hashes are filtered out" do
+    [{}, { foo: 1 }, { foo: "bar" }].each do |hash|
       params = ActionController::Parameters.new(id: hash)
       permitted = params.permit(:id)
       assert_filtered_out permitted, :id
@@ -90,7 +111,7 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end
   end
 
-  test 'key: non-permitted scalar values are filtered out' do
+  test "key: non-permitted scalar values are filtered out" do
     params = ActionController::Parameters.new(id: Object.new)
     permitted = params.permit(:id)
     assert_filtered_out permitted, :id
@@ -102,19 +123,19 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end
   end
 
-  test 'key: it is not assigned if not present in params' do
-    params = ActionController::Parameters.new(name: 'Joe')
+  test "key: it is not assigned if not present in params" do
+    params = ActionController::Parameters.new(name: "Joe")
     permitted = params.permit(:id)
     assert !permitted.has_key?(:id)
   end
 
-  test 'key to empty array: empty arrays pass' do
+  test "key to empty array: empty arrays pass" do
     params = ActionController::Parameters.new(id: [])
     permitted = params.permit(id: [])
     assert_equal [], permitted[:id]
   end
 
-  test 'do not break params filtering on nil values' do
+  test "do not break params filtering on nil values" do
     params = ActionController::Parameters.new(a: 1, b: [1, 2, 3], c: nil)
 
     permitted = params.permit(:a, c: [], b: [])
@@ -123,24 +144,24 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal nil, permitted[:c]
   end
 
-  test 'key to empty array: arrays of permitted scalars pass' do
-    [['foo'], [1], ['foo', 'bar'], [1, 2, 3]].each do |array|
+  test "key to empty array: arrays of permitted scalars pass" do
+    [["foo"], [1], ["foo", "bar"], [1, 2, 3]].each do |array|
       params = ActionController::Parameters.new(id: array)
       permitted = params.permit(id: [])
       assert_equal array, permitted[:id]
     end
   end
 
-  test 'key to empty array: permitted scalar values do not pass' do
-    ['foo', 1].each do |permitted_scalar|
+  test "key to empty array: permitted scalar values do not pass" do
+    ["foo", 1].each do |permitted_scalar|
       params = ActionController::Parameters.new(id: permitted_scalar)
       permitted = params.permit(id: [])
       assert_filtered_out permitted, :id
     end
   end
 
-  test 'key to empty array: arrays of non-permitted scalar do not pass' do
-    [[Object.new], [[]], [[1]], [{}], [{id: '1'}]].each do |non_permitted_scalar|
+  test "key to empty array: arrays of non-permitted scalar do not pass" do
+    [[Object.new], [[]], [[1]], [{}], [{ id: "1" }]].each do |non_permitted_scalar|
       params = ActionController::Parameters.new(id: non_permitted_scalar)
       permitted = params.permit(id: [])
       assert_filtered_out permitted, :id
@@ -160,7 +181,7 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal nil, params[:foo]
   end
 
-  test 'hashes in array values get wrapped' do
+  test "hashes in array values get wrapped" do
     params = ActionController::Parameters.new(foo: [{}, {}])
     params[:foo].each do |hash|
       assert !hash.permitted?
@@ -170,7 +191,7 @@ class ParametersPermitTest < ActiveSupport::TestCase
   # Strong params has an optimization to avoid looping every time you read
   # a key whose value is an array and building a new object. We check that
   # optimization here.
-  test 'arrays are converted at most once' do
+  test "arrays are converted at most once" do
     params = ActionController::Parameters.new(foo: [{}])
     assert_same params[:foo], params[:foo]
   end
@@ -181,11 +202,11 @@ class ParametersPermitTest < ActiveSupport::TestCase
   # This test checks that if we push a hash to an array (in-place modification)
   # the cache does not get fooled, the hash is still wrapped as strong params,
   # and not permitted.
-  test 'mutated arrays are detected' do
-    params = ActionController::Parameters.new(users: [{id: 1}])
+  test "mutated arrays are detected" do
+    params = ActionController::Parameters.new(users: [{ id: 1 }])
 
     permitted = params.permit(users: [:id])
-    permitted[:users] << {injected: 1}
+    permitted[:users] << { injected: 1 }
     assert_not permitted[:users].last.permitted?
   end
 
@@ -199,7 +220,7 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal nil, @params.fetch(:foo) { nil }
   end
 
-  test 'KeyError in fetch block should not be covered up' do
+  test "KeyError in fetch block should not be covered up" do
     params = ActionController::Parameters.new
     e = assert_raises(KeyError) do
       params.fetch(:missing_key) { {}.fetch(:also_missing) }
@@ -216,6 +237,13 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert @params.merge(a: "b").permitted?
   end
 
+  test "merge with parameters" do
+    other_params = ActionController::Parameters.new(id: "1234").permit!
+    merged_params = @params.merge(other_params)
+
+    assert merged_params[:id]
+  end
+
   test "modifying the parameters" do
     @params[:person][:hometown] = "Chicago"
     @params[:person][:family] = { brother: "Jonas" }
@@ -224,11 +252,6 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal "Jonas", @params[:person][:family][:brother]
   end
 
-  test "permit state is kept on a dup" do
-    @params.permit!
-    assert_equal @params.permitted?, @params.dup.permitted?
-  end
-
   test "permit is recursive" do
     @params.permit!
     assert @params.permitted?
@@ -240,9 +263,9 @@ class ParametersPermitTest < ActiveSupport::TestCase
   test "permitted takes a default value when Parameters.permit_all_parameters is set" do
     begin
       ActionController::Parameters.permit_all_parameters = true
-      params = ActionController::Parameters.new({ person: {
+      params = ActionController::Parameters.new(person: {
         age: "32", name: { first: "David", last: "Heinemeier Hansson" }
-      }})
+      })
 
       assert params.slice(:person).permitted?
       assert params[:person][:name].permitted?
@@ -299,10 +322,10 @@ class ParametersPermitTest < ActiveSupport::TestCase
   end
 
   test "to_unsafe_h returns unfiltered params even after accessing few keys" do
-    params = ActionController::Parameters.new("f"=>{"language_facet"=>["Tibetan"]})
-    expected = {"f"=>{"language_facet"=>["Tibetan"]}}
+    params = ActionController::Parameters.new("f"=>{ "language_facet"=>["Tibetan"] })
+    expected = { "f"=>{ "language_facet"=>["Tibetan"] } }
 
-    assert params['f'].is_a? ActionController::Parameters
+    assert params["f"].is_a? ActionController::Parameters
     assert_equal expected, params.to_unsafe_h
   end
 
@@ -313,10 +336,10 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end.new
 
     params = ActionController::Parameters.new(prem: { likes: %i( dancing ) })
-    assert_equal({ 'prem' => { 'likes' => %i( dancing ) } }, params.permit!.to_h)
+    assert_equal({ "prem" => { "likes" => %i( dancing ) } }, params.permit!.to_h)
 
     params = ActionController::Parameters.new(companies: [ company, :acme ])
-    assert_equal({ 'companies' => [ company, :acme ] }, params.permit!.to_h)
+    assert_equal({ "companies" => [ company, :acme ] }, params.permit!.to_h)
     assert_not company.dupped
   end
 
@@ -327,16 +350,31 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end.new
 
     params = ActionController::Parameters.new(prem: { likes: %i( dancing ) })
-    assert_equal({ 'prem' => { 'likes' => %i( dancing ) } }, params.to_unsafe_h)
+    assert_equal({ "prem" => { "likes" => %i( dancing ) } }, params.to_unsafe_h)
 
     params = ActionController::Parameters.new(companies: [ company, :acme ])
-    assert_equal({ 'companies' => [ company, :acme ] }, params.to_unsafe_h)
+    assert_equal({ "companies" => [ company, :acme ] }, params.to_unsafe_h)
     assert_not company.dupped
   end
 
   test "include? returns true when the key is present" do
     assert @params.include? :person
-    assert @params.include? 'person'
+    assert @params.include? "person"
     assert_not @params.include? :gorilla
   end
+
+  test "scalar values should be filtered when array or hash is specified" do
+    params = ActionController::Parameters.new(foo: "bar")
+
+    assert params.permit(:foo).has_key?(:foo)
+    refute params.permit(foo: []).has_key?(:foo)
+    refute params.permit(foo: [:bar]).has_key?(:foo)
+    refute params.permit(foo: :bar).has_key?(:foo)
+  end
+
+  test "#permitted? is false by default" do
+    params = ActionController::Parameters.new
+
+    assert_equal false, params.permitted?
+  end
 end
diff --git a/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb b/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb
index f9cc9f96f1..8fab7b28e9 100644
--- a/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb
+++ b/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb
@@ -1,5 +1,5 @@
-require 'abstract_unit'
-require 'action_controller/metal/strong_parameters'
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
 
 class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase
   def setup
@@ -11,10 +11,9 @@ class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase
   end
 
   test "raises on unexpected params" do
-    params = ActionController::Parameters.new({
+    params = ActionController::Parameters.new(
       book: { pages: 65 },
-      fishing: "Turnips"
-    })
+      fishing: "Turnips")
 
     assert_raises(ActionController::UnpermittedParameters) do
       params.permit(book: [:pages])
@@ -22,9 +21,8 @@ class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase
   end
 
   test "raises on unexpected nested params" do
-    params = ActionController::Parameters.new({
-      book: { pages: 65, title: "Green Cats and where to find then." }
-    })
+    params = ActionController::Parameters.new(
+      book: { pages: 65, title: "Green Cats and where to find then." })
 
     assert_raises(ActionController::UnpermittedParameters) do
       params.permit(book: [:pages])
diff --git a/actionpack/test/controller/parameters/serialization_test.rb b/actionpack/test/controller/parameters/serialization_test.rb
new file mode 100644
index 0000000000..6fba2fde91
--- /dev/null
+++ b/actionpack/test/controller/parameters/serialization_test.rb
@@ -0,0 +1,53 @@
+require "abstract_unit"
+require "action_controller/metal/strong_parameters"
+require "active_support/core_ext/string/strip"
+
+class ParametersSerializationTest < ActiveSupport::TestCase
+  setup do
+    @old_permitted_parameters = ActionController::Parameters.permit_all_parameters
+    ActionController::Parameters.permit_all_parameters = false
+  end
+
+  teardown do
+    ActionController::Parameters.permit_all_parameters = @old_permitted_parameters
+  end
+
+  test "yaml serialization" do
+    params = ActionController::Parameters.new(key: :value)
+    yaml_dump = YAML.dump(params)
+    assert_match("--- !ruby/object:ActionController::Parameters", yaml_dump)
+    assert_match(/parameters: !ruby\/hash:ActiveSupport::HashWithIndifferentAccess\n\s+key: :value/, yaml_dump)
+    assert_match("permitted: false", yaml_dump)
+  end
+
+  test "yaml deserialization" do
+    params = ActionController::Parameters.new(key: :value)
+    roundtripped = YAML.load(YAML.dump(params))
+
+    assert_equal params, roundtripped
+    assert_not roundtripped.permitted?
+  end
+
+  test "yaml backwardscompatible with psych 2.0.8 format" do
+    params = YAML.load <<-end_of_yaml.strip_heredoc
+      --- !ruby/hash:ActionController::Parameters
+      key: :value
+    end_of_yaml
+
+    assert_equal :value, params[:key]
+    assert_not params.permitted?
+  end
+
+  test "yaml backwardscompatible with psych 2.0.9+ format" do
+    params = YAML.load(<<-end_of_yaml.strip_heredoc)
+      --- !ruby/hash-with-ivars:ActionController::Parameters
+      elements:
+        key: :value
+      ivars:
+        :@permitted: false
+    end_of_yaml
+
+    assert_equal :value, params[:key]
+    assert_not params.permitted?
+  end
+end