2 files changed, 164 insertions, 17 deletions

diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_test.rb
index 6df849c4e2..8aec159499 100644
--- a/actionpack/test/controller/parameters/nested_parameters_test.rb
+++ b/actionpack/test/controller/parameters/nested_parameters_test.rb
@@ -2,6 +2,10 @@ require 'abstract_unit'
 require 'action_controller/metal/strong_parameters'
 
 class NestedParametersTest < ActiveSupport::TestCase
+  def assert_filtered_out(params, key)
+    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
+  end
+
   test "permitted nested parameters" do
     params = ActionController::Parameters.new({
       book: {
@@ -11,6 +15,8 @@ class NestedParametersTest < ActiveSupport::TestCase
           born: "1564-04-26"
         }, {
           name: "Christopher Marlowe"
+        }, {
+          :name => %w(malicious injected names)
         }],
         details: {
           pages: 200,
@@ -30,10 +36,12 @@ class NestedParametersTest < ActiveSupport::TestCase
     assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
     assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
     assert_equal 200, permitted[:book][:details][:pages]
-    assert_nil permitted[:book][:id]
-    assert_nil permitted[:book][:details][:genre]
-    assert_nil permitted[:book][:authors][0][:born]
-    assert_nil permitted[:magazine]
+
+    assert_filtered_out permitted, :magazine
+    assert_filtered_out permitted[:book], :id
+    assert_filtered_out permitted[:book][:details], :genre
+    assert_filtered_out permitted[:book][:authors][0], :born
+    assert_filtered_out permitted[:book][:authors][2], :name
   end
 
   test "permitted nested parameters with a string or a symbol as a key" do
@@ -68,7 +76,7 @@ class NestedParametersTest < ActiveSupport::TestCase
       }
     })
 
-    permitted = params.permit :book => :genres
+    permitted = params.permit :book => {:genres => []}
     assert_equal ["Tragedy"], permitted[:book][:genres]
   end
 
@@ -124,19 +132,41 @@ class NestedParametersTest < ActiveSupport::TestCase
 
   test "fields_for-style nested params" do
     params = ActionController::Parameters.new({
-      book: {
-        authors_attributes: {
-          :'0' => { name: 'William Shakespeare', age_of_death: '52' },
-          :'-1' => { name: 'Unattributed Assistant' }
+      :book => {
+        :authors_attributes => {
+          :'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'1' => { :name => 'Unattributed Assistant' },
+          :'2' => { :name => %w(injected names)}
         }
       }
     })
-    permitted = params.permit book: { authors_attributes: [ :name ] }
+    permitted = params.permit :book => { :authors_attributes => [ :name ] }
 
     assert_not_nil permitted[:book][:authors_attributes]['0']
-    assert_not_nil permitted[:book][:authors_attributes]['-1']
-    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_empty permitted[:book][:authors_attributes]['2']
     assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
-    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death
+  end
+
+  test "fields_for-style nested params with negative numbers" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'-2' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [:name] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
   end
 end
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index 7cc71fe6dc..303c13eb25 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -2,10 +2,131 @@ require 'abstract_unit'
 require 'action_controller/metal/strong_parameters'
 
 class ParametersPermitTest < ActiveSupport::TestCase
+  def assert_filtered_out(params, key)
+    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
+  end
+
   setup do
     @params = ActionController::Parameters.new({ person: {
       age: "32", name: { first: "David", last: "Heinemeier Hansson" }
     }})
+
+    @struct_fields = []
+    %w(0 1 12).each do |number|
+      ['', 'i', 'f'].each do |suffix|
+        @struct_fields << "sf(#{number}#{suffix})"
+      end
+    end
+  end
+
+  test 'if nothing is permitted, the hash becomes empty' do
+    params = ActionController::Parameters.new(:id => '1234')
+    permitted = params.permit
+    assert permitted.permitted?
+    assert permitted.empty?
+  end
+
+  test 'key: permitted scalar values' do
+    values  = ['a', :a, nil]
+    values += [0, 1.0, 2**128, BigDecimal.new(1)]
+    values += [true, false]
+    values += [Date.today, Time.now, DateTime.now]
+    values += [StringIO.new]
+
+    values.each do |value|
+      params = ActionController::Parameters.new(:id => value)
+      permitted = params.permit(:id)
+      assert_equal value, permitted[:id]
+
+      @struct_fields.each do |sf|
+        params = ActionController::Parameters.new(sf => value)
+        permitted = params.permit(:sf)
+        assert_equal value, permitted[sf]
+      end
+    end
+  end
+
+  test 'key: unknown keys are filtered out' do
+    params = ActionController::Parameters.new(:id => '1234', :injected => 'injected')
+    permitted = params.permit(:id)
+    assert_equal '1234', permitted[:id]
+    assert_filtered_out permitted, :injected
+  end
+
+  test 'key: arrays are filtered out' do
+    [[], [1], ['1']].each do |array|
+      params = ActionController::Parameters.new(:id => array)
+      permitted = params.permit(:id)
+      assert_filtered_out permitted, :id
+
+      @struct_fields.each do |sf|
+        params = ActionController::Parameters.new(sf => array)
+        permitted = params.permit(:sf)
+        assert_filtered_out permitted, sf
+      end
+    end
+  end
+
+  test 'key: hashes are filtered out' do
+    [{}, {:foo => 1}, {:foo => 'bar'}].each do |hash|
+      params = ActionController::Parameters.new(:id => hash)
+      permitted = params.permit(:id)
+      assert_filtered_out permitted, :id
+
+      @struct_fields.each do |sf|
+        params = ActionController::Parameters.new(sf => hash)
+        permitted = params.permit(:sf)
+        assert_filtered_out permitted, sf
+      end
+    end
+  end
+
+  test 'key: non-permitted scalar values are filtered out' do
+    params = ActionController::Parameters.new(:id => Object.new)
+    permitted = params.permit(:id)
+    assert_filtered_out permitted, :id
+
+    @struct_fields.each do |sf|
+      params = ActionController::Parameters.new(sf => Object.new)
+      permitted = params.permit(:sf)
+      assert_filtered_out permitted, sf
+    end
+  end
+
+  test 'key: it is not assigned if not present in params' do
+    params = ActionController::Parameters.new(:name => 'Joe')
+    permitted = params.permit(:id)
+    assert !permitted.has_key?(:id)
+  end
+
+  test 'key to empty array: empty arrays pass' do
+    params = ActionController::Parameters.new(:id => [])
+    permitted = params.permit(:id => [])
+    assert_equal [], permitted[:id]
+  end
+
+  test 'key to empty array: arrays of permitted scalars pass' do
+    [['foo'], [1], ['foo', 'bar'], [1, 2, 3]].each do |array|
+      params = ActionController::Parameters.new(:id => array)
+      permitted = params.permit(:id => [])
+      assert_equal array, permitted[:id]
+    end
+  end
+
+  test 'key to empty array: permitted scalar values do not pass' do
+    ['foo', 1].each do |permitted_scalar|
+      params = ActionController::Parameters.new(:id => permitted_scalar)
+      permitted = params.permit(:id => [])
+      assert_filtered_out permitted, :id
+    end
+  end
+
+  test 'key to empty array: arrays of non-permitted scalar do not pass' do
+    [[Object.new], [[]], [[1]], [{}], [{:id => '1'}]].each do |non_permitted_scalar|
+      params = ActionController::Parameters.new(:id => non_permitted_scalar)
+      permitted = params.permit(:id => [])
+      assert_filtered_out permitted, :id
+    end
   end
 
   test "fetch raises ParameterMissing exception" do
@@ -73,10 +194,6 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal "Jonas", @params[:person][:family][:brother]
   end
 
-  test "permitting parameters that are not there should not include the keys" do
-    assert !@params.permit(:person, :funky).has_key?(:funky)
-  end
-
   test "permit state is kept on a dup" do
     @params.permit!
     assert_equal @params.permitted?, @params.dup.permitted?