8 files changed, 221 insertions, 35 deletions

diff --git a/actionpack/test/controller/integration_test.rb b/actionpack/test/controller/integration_test.rb
index e2239c05c7..72b882539c 100644
--- a/actionpack/test/controller/integration_test.rb
+++ b/actionpack/test/controller/integration_test.rb
@@ -751,13 +751,17 @@ class UrlOptionsIntegrationTest < ActionDispatch::IntegrationTest
     assert_equal "http://bar.com/foo", foos_url
   end
 
-  test "test can override default url options" do
+  def test_can_override_default_url_options
+    original_host = default_url_options.dup
+
     default_url_options[:host] = "foobar.com"
     assert_equal "http://foobar.com/foo", foos_url
 
     get "/bar"
     assert_response :success
     assert_equal "http://foobar.com/foo", foos_url
+  ensure
+    ActionDispatch::Integration::Session.default_url_options = self.default_url_options = original_host
   end
 
   test "current request path parameters are recalled" do
diff --git a/actionpack/test/controller/layout_test.rb b/actionpack/test/controller/layout_test.rb
index 365fa04570..71bcfd664e 100644
--- a/actionpack/test/controller/layout_test.rb
+++ b/actionpack/test/controller/layout_test.rb
@@ -1,5 +1,6 @@
 require 'abstract_unit'
 require 'rbconfig'
+require 'active_support/core_ext/array/extract_options'
 
 # The view_paths array must be set on Base and not LayoutTest so that LayoutTest's inherited
 # method has access to the view_paths array when looking for a layout to automatically assign.
diff --git a/actionpack/test/controller/localized_templates_test.rb b/actionpack/test/controller/localized_templates_test.rb
index 41ff2f3809..bac1d02977 100644
--- a/actionpack/test/controller/localized_templates_test.rb
+++ b/actionpack/test/controller/localized_templates_test.rb
@@ -9,14 +9,20 @@ class LocalizedTemplatesTest < ActionController::TestCase
   tests LocalizedController
 
   def test_localized_template_is_used
+    old_locale = I18n.locale
     I18n.locale = :de
     get :hello_world
     assert_equal "Gutten Tag", @response.body
+  ensure
+    I18n.locale = old_locale
   end
 
   def test_default_locale_template_is_used_when_locale_is_missing
+    old_locale = I18n.locale
     I18n.locale = :dk
     get :hello_world
     assert_equal "Hello World", @response.body
+  ensure
+    I18n.locale = old_locale
   end
-end
\ No newline at end of file
+end
diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_test.rb
index 6df849c4e2..91df527dec 100644
--- a/actionpack/test/controller/parameters/nested_parameters_test.rb
+++ b/actionpack/test/controller/parameters/nested_parameters_test.rb
@@ -2,6 +2,10 @@ require 'abstract_unit'
 require 'action_controller/metal/strong_parameters'
 
 class NestedParametersTest < ActiveSupport::TestCase
+  def assert_filtered_out(params, key)
+    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
+  end
+
   test "permitted nested parameters" do
     params = ActionController::Parameters.new({
       book: {
@@ -11,6 +15,8 @@ class NestedParametersTest < ActiveSupport::TestCase
           born: "1564-04-26"
         }, {
           name: "Christopher Marlowe"
+        }, {
+          name: %w(malicious injected names)
         }],
         details: {
           pages: 200,
@@ -30,10 +36,12 @@ class NestedParametersTest < ActiveSupport::TestCase
     assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
     assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
     assert_equal 200, permitted[:book][:details][:pages]
-    assert_nil permitted[:book][:id]
-    assert_nil permitted[:book][:details][:genre]
-    assert_nil permitted[:book][:authors][0][:born]
-    assert_nil permitted[:magazine]
+
+    assert_filtered_out permitted, :magazine
+    assert_filtered_out permitted[:book], :id
+    assert_filtered_out permitted[:book][:details], :genre
+    assert_filtered_out permitted[:book][:authors][0], :born
+    assert_filtered_out permitted[:book][:authors][2], :name
   end
 
   test "permitted nested parameters with a string or a symbol as a key" do
@@ -63,25 +71,25 @@ class NestedParametersTest < ActiveSupport::TestCase
 
   test "nested arrays with strings" do
     params = ActionController::Parameters.new({
-      :book => {
-        :genres => ["Tragedy"]
+      book: {
+        genres: ["Tragedy"]
       }
     })
 
-    permitted = params.permit :book => :genres
+    permitted = params.permit book: {genres: []}
     assert_equal ["Tragedy"], permitted[:book][:genres]
   end
 
   test "permit may specify symbols or strings" do
     params = ActionController::Parameters.new({
-      :book => {
-        :title => "Romeo and Juliet",
-        :author => "William Shakespeare"
+      book: {
+        title: "Romeo and Juliet",
+        author: "William Shakespeare"
       },
-      :magazine => "Shakespeare Today"
+      magazine: "Shakespeare Today"
     })
 
-    permitted = params.permit({:book => ["title", :author]}, "magazine")
+    permitted = params.permit({book: ["title", :author]}, "magazine")
     assert_equal "Romeo and Juliet", permitted[:book][:title]
     assert_equal "William Shakespeare", permitted[:book][:author]
     assert_equal "Shakespeare Today", permitted[:magazine]
@@ -127,16 +135,38 @@ class NestedParametersTest < ActiveSupport::TestCase
       book: {
         authors_attributes: {
           :'0' => { name: 'William Shakespeare', age_of_death: '52' },
-          :'-1' => { name: 'Unattributed Assistant' }
+          :'1' => { name: 'Unattributed Assistant' },
+          :'2' => { name: %w(injected names)}
         }
       }
     })
     permitted = params.permit book: { authors_attributes: [ :name ] }
 
     assert_not_nil permitted[:book][:authors_attributes]['0']
-    assert_not_nil permitted[:book][:authors_attributes]['-1']
-    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_empty permitted[:book][:authors_attributes]['2']
     assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
-    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death
+  end
+
+  test "fields_for-style nested params with negative numbers" do
+    params = ActionController::Parameters.new({
+      book: {
+        authors_attributes: {
+          :'-1' => { name: 'William Shakespeare', age_of_death: '52' },
+          :'-2' => { name: 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit book: { authors_attributes: [:name] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
   end
 end
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index 7cc71fe6dc..aadb142660 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -1,11 +1,133 @@
 require 'abstract_unit'
+require 'action_dispatch/http/upload'
 require 'action_controller/metal/strong_parameters'
 
 class ParametersPermitTest < ActiveSupport::TestCase
+  def assert_filtered_out(params, key)
+    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
+  end
+
   setup do
     @params = ActionController::Parameters.new({ person: {
       age: "32", name: { first: "David", last: "Heinemeier Hansson" }
     }})
+
+    @struct_fields = []
+    %w(0 1 12).each do |number|
+      ['', 'i', 'f'].each do |suffix|
+        @struct_fields << "sf(#{number}#{suffix})"
+      end
+    end
+  end
+
+  test 'if nothing is permitted, the hash becomes empty' do
+    params = ActionController::Parameters.new(id: '1234')
+    permitted = params.permit
+    assert permitted.permitted?
+    assert permitted.empty?
+  end
+
+  test 'key: permitted scalar values' do
+    values  = ['a', :a, nil]
+    values += [0, 1.0, 2**128, BigDecimal.new(1)]
+    values += [true, false]
+    values += [Date.today, Time.now, DateTime.now]
+    values += [STDOUT, StringIO.new, ActionDispatch::Http::UploadedFile.new(tempfile: __FILE__)]
+
+    values.each do |value|
+      params = ActionController::Parameters.new(id: value)
+      permitted = params.permit(:id)
+      assert_equal value, permitted[:id]
+
+      @struct_fields.each do |sf|
+        params = ActionController::Parameters.new(sf => value)
+        permitted = params.permit(:sf)
+        assert_equal value, permitted[sf]
+      end
+    end
+  end
+
+  test 'key: unknown keys are filtered out' do
+    params = ActionController::Parameters.new(id: '1234', injected: 'injected')
+    permitted = params.permit(:id)
+    assert_equal '1234', permitted[:id]
+    assert_filtered_out permitted, :injected
+  end
+
+  test 'key: arrays are filtered out' do
+    [[], [1], ['1']].each do |array|
+      params = ActionController::Parameters.new(id: array)
+      permitted = params.permit(:id)
+      assert_filtered_out permitted, :id
+
+      @struct_fields.each do |sf|
+        params = ActionController::Parameters.new(sf => array)
+        permitted = params.permit(:sf)
+        assert_filtered_out permitted, sf
+      end
+    end
+  end
+
+  test 'key: hashes are filtered out' do
+    [{}, {foo: 1}, {foo: 'bar'}].each do |hash|
+      params = ActionController::Parameters.new(id: hash)
+      permitted = params.permit(:id)
+      assert_filtered_out permitted, :id
+
+      @struct_fields.each do |sf|
+        params = ActionController::Parameters.new(sf => hash)
+        permitted = params.permit(:sf)
+        assert_filtered_out permitted, sf
+      end
+    end
+  end
+
+  test 'key: non-permitted scalar values are filtered out' do
+    params = ActionController::Parameters.new(id: Object.new)
+    permitted = params.permit(:id)
+    assert_filtered_out permitted, :id
+
+    @struct_fields.each do |sf|
+      params = ActionController::Parameters.new(sf => Object.new)
+      permitted = params.permit(:sf)
+      assert_filtered_out permitted, sf
+    end
+  end
+
+  test 'key: it is not assigned if not present in params' do
+    params = ActionController::Parameters.new(name: 'Joe')
+    permitted = params.permit(:id)
+    assert !permitted.has_key?(:id)
+  end
+
+  test 'key to empty array: empty arrays pass' do
+    params = ActionController::Parameters.new(id: [])
+    permitted = params.permit(id: [])
+    assert_equal [], permitted[:id]
+  end
+
+  test 'key to empty array: arrays of permitted scalars pass' do
+    [['foo'], [1], ['foo', 'bar'], [1, 2, 3]].each do |array|
+      params = ActionController::Parameters.new(id: array)
+      permitted = params.permit(id: [])
+      assert_equal array, permitted[:id]
+    end
+  end
+
+  test 'key to empty array: permitted scalar values do not pass' do
+    ['foo', 1].each do |permitted_scalar|
+      params = ActionController::Parameters.new(id: permitted_scalar)
+      permitted = params.permit(id: [])
+      assert_filtered_out permitted, :id
+    end
+  end
+
+  test 'key to empty array: arrays of non-permitted scalar do not pass' do
+    [[Object.new], [[]], [[1]], [{}], [{id: '1'}]].each do |non_permitted_scalar|
+      params = ActionController::Parameters.new(id: non_permitted_scalar)
+      permitted = params.permit(id: [])
+      assert_filtered_out permitted, :id
+    end
   end
 
   test "fetch raises ParameterMissing exception" do
@@ -73,10 +195,6 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal "Jonas", @params[:person][:family][:brother]
   end
 
-  test "permitting parameters that are not there should not include the keys" do
-    assert !@params.permit(:person, :funky).has_key?(:funky)
-  end
-
   test "permit state is kept on a dup" do
     @params.permit!
     assert_equal @params.permitted?, @params.dup.permitted?
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 523a8d0572..c272e785c2 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -66,6 +66,19 @@ class RequestForgeryProtectionControllerUsingException < ActionController::Base
   protect_from_forgery :only => %w(index meta), :with => :exception
 end
 
+class RequestForgeryProtectionControllerUsingNullSession < ActionController::Base
+  protect_from_forgery :with => :null_session
+
+  def signed
+    cookies.signed[:foo] = 'bar'
+    render :nothing => true
+  end
+
+  def encrypted
+    cookies.encrypted[:foo] = 'bar'
+    render :nothing => true
+  end
+end
 
 class FreeCookieController < RequestForgeryProtectionControllerUsingResetSession
   self.allow_forgery_protection = false
@@ -170,6 +183,10 @@ module RequestForgeryProtectionTests
     assert_not_blocked { get :index }
   end
 
+  def test_should_allow_head
+    assert_not_blocked { head :index }
+  end
+
   def test_should_allow_post_without_token_on_unsafe_action
     assert_not_blocked { post :unsafe }
   end
@@ -283,6 +300,28 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController
   end
 end
 
+class NullSessionDummyKeyGenerator
+  def generate_key(secret)
+    '03312270731a2ed0d11ed091c2338a06'
+  end
+end
+
+class RequestForgeryProtectionControllerUsingNullSessionTest < ActionController::TestCase  
+  def setup
+    @request.env[ActionDispatch::Cookies::GENERATOR_KEY] = NullSessionDummyKeyGenerator.new
+  end
+
+  test 'should allow to set signed cookies' do
+    post :signed
+    assert_response :ok
+  end
+
+  test 'should allow to set encrypted cookies' do
+    post :encrypted
+    assert_response :ok
+  end
+end
+
 class RequestForgeryProtectionControllerUsingExceptionTest < ActionController::TestCase
   include RequestForgeryProtectionTests
   def assert_blocked
diff --git a/actionpack/test/controller/resources_test.rb b/actionpack/test/controller/resources_test.rb
index 305659b219..9aea7e860a 100644
--- a/actionpack/test/controller/resources_test.rb
+++ b/actionpack/test/controller/resources_test.rb
@@ -1,6 +1,7 @@
 require 'abstract_unit'
 require 'active_support/core_ext/object/try'
 require 'active_support/core_ext/object/with_options'
+require 'active_support/core_ext/array/extract_options'
 
 class ResourcesTest < ActionController::TestCase
   def test_default_restful_routes
diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb
index 0480295056..19d5652d81 100644
--- a/actionpack/test/controller/webservice_test.rb
+++ b/actionpack/test/controller/webservice_test.rb
@@ -129,19 +129,6 @@ class WebServiceTest < ActionDispatch::IntegrationTest
     $stderr = STDERR
   end
 
-  def test_register_and_use_yaml
-    with_test_route_set do
-      with_params_parsers Mime::YAML => Proc.new { |d| YAML.load(d) } do
-        post "/", {"entry" => "loaded from yaml"}.to_yaml,
-          {'CONTENT_TYPE' => 'application/x-yaml'}
-
-        assert_equal 'entry', @controller.response.body
-        assert @controller.params.has_key?(:entry)
-        assert_equal 'loaded from yaml', @controller.params["entry"]
-      end
-    end
-  end
-
   def test_register_and_use_xml_simple
     with_test_route_set do
       with_params_parsers Mime::XML => Proc.new { |data| Hash.from_xml(data)['request'].with_indifferent_access } do