From fea7c9fed65b9dd305562483c1cfd80104d521b5 Mon Sep 17 00:00:00 2001
From: Sam Davies <seivadmas@gmail.com>
Date: Thu, 3 Mar 2016 12:25:28 -0300
Subject: Do not destructively mutate passed options hash in route definitions

- Fixes #24030

An example scope might be specified as such:

```ruby
HTML = { constraints: { format: :html } }.freeze
scope HTML do
  get 'x'
end
```

This currently raises an error because the mapper attempts to
destructively modify the passed options hash. This is dangerous because
this options hash might even be shared with other scopes.

We should instead always instantiate a new object instead of modifying
the passed options.
---
 actionpack/lib/action_dispatch/routing/mapper.rb |  3 +--
 actionpack/test/dispatch/mapper_test.rb          | 13 +++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/routing/mapper.rb b/actionpack/lib/action_dispatch/routing/mapper.rb
index 16b430c36e..c4621e386d 100644
--- a/actionpack/lib/action_dispatch/routing/mapper.rb
+++ b/actionpack/lib/action_dispatch/routing/mapper.rb
@@ -1,4 +1,3 @@
-require 'active_support/core_ext/hash/reverse_merge'
 require 'active_support/core_ext/hash/slice'
 require 'active_support/core_ext/enumerable'
 require 'active_support/core_ext/array/extract_options'
@@ -824,7 +823,7 @@ module ActionDispatch
               URL_OPTIONS.include?(k) && (v.is_a?(String) || v.is_a?(Fixnum))
             end
 
-            (options[:defaults] ||= {}).reverse_merge!(defaults)
+            options[:defaults] = defaults.merge(options[:defaults] || {})
           else
             block, options[:constraints] = options[:constraints], {}
           end
diff --git a/actionpack/test/dispatch/mapper_test.rb b/actionpack/test/dispatch/mapper_test.rb
index df27e41997..69098326b9 100644
--- a/actionpack/test/dispatch/mapper_test.rb
+++ b/actionpack/test/dispatch/mapper_test.rb
@@ -178,6 +178,19 @@ module ActionDispatch
           mapper.mount as: "exciting"
         end
       end
+
+      def test_scope_does_not_destructively_mutate_default_options
+        fakeset = FakeSet.new
+        mapper = Mapper.new fakeset
+
+        frozen = { foo: :bar }.freeze
+
+        assert_nothing_raised do
+          mapper.scope(defaults: frozen) do
+            # pass
+          end
+        end
+      end
     end
   end
 end
-- 
cgit v1.2.3