From 92f9ff8cc325d72d74cbf839ac9ac0acd474a768 Mon Sep 17 00:00:00 2001
From: Xavier Noria <fxn@hashref.com>
Date: Sat, 21 Dec 2013 01:11:47 +0100
Subject: converts hashes in arrays of unfiltered params to unpermitted params
 [fixes #13382]

---
 actionpack/CHANGELOG.md                                     |  6 ++++++
 actionpack/lib/action_controller/metal/strong_parameters.rb | 13 ++++++++++---
 .../test/controller/parameters/parameters_permit_test.rb    |  7 +++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 75d9b557f2..d696656521 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,9 @@
+*   Converts hashes in arrays of unfiltered params to unpermitted params.
+
+    Fixes #13382
+
+    *Xavier Noria*
+
 *   New config option to opt out of params "deep munging" that was used to
     address security vulnerability CVE-2013-0155. In your app config:
 
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index b4948d99a8..a3ac15a1d2 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -330,11 +330,18 @@ module ActionController
 
     private
       def convert_hashes_to_parameters(key, value)
-        if value.is_a?(Parameters) || !value.is_a?(Hash)
+        converted = convert_value_to_parameters(value)
+        self[key] = converted unless converted.equal?(value)
+        converted
+      end
+
+      def convert_value_to_parameters(value)
+        if value.is_a?(Array)
+          value.map { |_| convert_value_to_parameters(_) }
+        elsif value.is_a?(Parameters) || !value.is_a?(Hash)
           value
         else
-          # Convert to Parameters on first access
-          self[key] = self.class.new(value)
+          self.class.new(value)
         end
       end
 
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index b60c5f058d..ba191a7227 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -153,6 +153,13 @@ class ParametersPermitTest < ActiveSupport::TestCase
     assert_equal nil, params[:foo]
   end
 
+  test 'hashes in array values get wrapped' do
+    params = ActionController::Parameters.new(foo: [{}, {}])
+    params[:foo].each do |hash|
+      assert !hash.permitted?
+    end
+  end
+
   test "fetch doesnt raise ParameterMissing exception if there is a default" do
     assert_equal "monkey", @params.fetch(:foo, "monkey")
     assert_equal "monkey", @params.fetch(:foo) { "monkey" }
-- 
cgit v1.2.3