From 357cd23d3aedabb99fd70b812ffcea2d1cc9893d Mon Sep 17 00:00:00 2001
From: Ryuta Kamizono <kamipo@gmail.com>
Date: Wed, 20 Feb 2019 20:55:09 +0900
Subject: Don't allow `where` with non numeric string matches to 0 values

This is a follow-up of #35310.

Currently `Topic.find_by(id: "not-a-number")` matches to a `id = 0`
record. That is considered as silently leaking information.

If non numeric string is given to find by an integer column, it should
not be matched to any record.

Related #12793.
---
 activerecord/test/cases/relation/where_test.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'activerecord/test')

diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
index bec204643b..5c729e68cd 100644
--- a/activerecord/test/cases/relation/where_test.rb
+++ b/activerecord/test/cases/relation/where_test.rb
@@ -51,8 +51,9 @@ module ActiveRecord
     end
 
     def test_where_with_invalid_value
-      topics(:first).update!(written_on: nil, bonus_time: nil, last_read: nil)
+      topics(:first).update!(parent_id: 0, written_on: nil, bonus_time: nil, last_read: nil)
       assert_empty Topic.where(parent_id: Object.new)
+      assert_empty Topic.where(parent_id: "not-a-number")
       assert_empty Topic.where(written_on: "")
       assert_empty Topic.where(bonus_time: "")
       assert_empty Topic.where(last_read: "")
-- 
cgit v1.2.3