require "abstract_unit" require "action_dispatch/http/upload" require "action_controller/metal/strong_parameters" class ParametersPermitTest < ActiveSupport::TestCase def assert_filtered_out(params, key) assert !params.has_key?(key), "key #{key.inspect} has not been filtered out" end setup do @params = ActionController::Parameters.new( person: { age: "32", name: { first: "David", last: "Heinemeier Hansson" }, addresses: [{ city: "Chicago", state: "Illinois" }] } ) @struct_fields = [] %w(0 1 12).each do |number| ["", "i", "f"].each do |suffix| @struct_fields << "sf(#{number}#{suffix})" end end end def walk_permitted(params) params.each do |k,v| case v when ActionController::Parameters walk_permitted v when Array v.each { |x| walk_permitted v } end end end test "iteration should not impact permit" do hash = { "foo"=>{ "bar"=>{ "0"=>{ "baz"=>"hello", "zot"=>"1" } } } } params = ActionController::Parameters.new(hash) walk_permitted params sanitized = params[:foo].permit(bar: [:baz]) assert_equal({ "0"=>{ "baz"=>"hello" } }, sanitized[:bar].to_unsafe_h) end test "if nothing is permitted, the hash becomes empty" do params = ActionController::Parameters.new(id: "1234") permitted = params.permit assert permitted.permitted? assert permitted.empty? end test "key: permitted scalar values" do values = ["a", :a, nil] values += [0, 1.0, 2**128, BigDecimal.new(1)] values += [true, false] values += [Date.today, Time.now, DateTime.now] values += [STDOUT, StringIO.new, ActionDispatch::Http::UploadedFile.new(tempfile: __FILE__), Rack::Test::UploadedFile.new(__FILE__)] values.each do |value| params = ActionController::Parameters.new(id: value) permitted = params.permit(:id) assert_equal value, permitted[:id] @struct_fields.each do |sf| params = ActionController::Parameters.new(sf => value) permitted = params.permit(:sf) assert_equal value, permitted[sf] end end end test "key: unknown keys are filtered out" do params = ActionController::Parameters.new(id: "1234", injected: "injected") permitted = params.permit(:id) assert_equal "1234", permitted[:id] assert_filtered_out permitted, :injected end test "key: arrays are filtered out" do [[], [1], ["1"]].each do |array| params = ActionController::Parameters.new(id: array) permitted = params.permit(:id) assert_filtered_out permitted, :id @struct_fields.each do |sf| params = ActionController::Parameters.new(sf => array) permitted = params.permit(:sf) assert_filtered_out permitted, sf end end end test "key: hashes are filtered out" do [{}, { foo: 1 }, { foo: "bar" }].each do |hash| params = ActionController::Parameters.new(id: hash) permitted = params.permit(:id) assert_filtered_out permitted, :id @struct_fields.each do |sf| params = ActionController::Parameters.new(sf => hash) permitted = params.permit(:sf) assert_filtered_out permitted, sf end end end test "key: non-permitted scalar values are filtered out" do params = ActionController::Parameters.new(id: Object.new) permitted = params.permit(:id) assert_filtered_out permitted, :id @struct_fields.each do |sf| params = ActionController::Parameters.new(sf => Object.new) permitted = params.permit(:sf) assert_filtered_out permitted, sf end end test "key: it is not assigned if not present in params" do params = ActionController::Parameters.new(name: "Joe") permitted = params.permit(:id) assert !permitted.has_key?(:id) end test "key to empty array: empty arrays pass" do params = ActionController::Parameters.new(id: []) permitted = params.permit(id: []) assert_equal [], permitted[:id] end test "do not break params filtering on nil values" do params = ActionController::Parameters.new(a: 1, b: [1, 2, 3], c: nil) permitted = params.permit(:a, c: [], b: []) assert_equal 1, permitted[:a] assert_equal [1, 2, 3], permitted[:b] assert_equal nil, permitted[:c] end test "key to empty array: arrays of permitted scalars pass" do [["foo"], [1], ["foo", "bar"], [1, 2, 3]].each do |array| params = ActionController::Parameters.new(id: array) permitted = params.permit(id: []) assert_equal array, permitted[:id] end end test "key to empty array: permitted scalar values do not pass" do ["foo", 1].each do |permitted_scalar| params = ActionController::Parameters.new(id: permitted_scalar) permitted = params.permit(id: []) assert_filtered_out permitted, :id end end test "key to empty array: arrays of non-permitted scalar do not pass" do [[Object.new], [[]], [[1]], [{}], [{ id: "1" }]].each do |non_permitted_scalar| params = ActionController::Parameters.new(id: non_permitted_scalar) permitted = params.permit(id: []) assert_filtered_out permitted, :id end end test "fetch raises ParameterMissing exception" do e = assert_raises(ActionController::ParameterMissing) do @params.fetch :foo end assert_equal :foo, e.param end test "fetch with a default value of a hash does not mutate the object" do params = ActionController::Parameters.new({}) params.fetch :foo, {} assert_equal nil, params[:foo] end test "hashes in array values get wrapped" do params = ActionController::Parameters.new(foo: [{}, {}]) params[:foo].each do |hash| assert !hash.permitted? end end # Strong params has an optimization to avoid looping every time you read # a key whose value is an array and building a new object. We check that # optimization here. test "arrays are converted at most once" do params = ActionController::Parameters.new(foo: [{}]) assert_same params[:foo], params[:foo] end # Strong params has an internal cache to avoid duplicated loops in the most # common usage pattern. See the docs of the method `converted_arrays`. # # This test checks that if we push a hash to an array (in-place modification) # the cache does not get fooled, the hash is still wrapped as strong params, # and not permitted. test "mutated arrays are detected" do params = ActionController::Parameters.new(users: [{ id: 1 }]) permitted = params.permit(users: [:id]) permitted[:users] << { injected: 1 } assert_not permitted[:users].last.permitted? end test "fetch doesnt raise ParameterMissing exception if there is a default" do assert_equal "monkey", @params.fetch(:foo, "monkey") assert_equal "monkey", @params.fetch(:foo) { "monkey" } end test "fetch doesnt raise ParameterMissing exception if there is a default that is nil" do assert_equal nil, @params.fetch(:foo, nil) assert_equal nil, @params.fetch(:foo) { nil } end test "KeyError in fetch block should not be covered up" do params = ActionController::Parameters.new e = assert_raises(KeyError) do params.fetch(:missing_key) { {}.fetch(:also_missing) } end assert_match(/:also_missing$/, e.message) end test "not permitted is sticky beyond merges" do assert !@params.merge(a: "b").permitted? end test "permitted is sticky beyond merges" do @params.permit! assert @params.merge(a: "b").permitted? end test "merge with parameters" do other_params = ActionController::Parameters.new(id: "1234").permit! merged_params = @params.merge(other_params) assert merged_params[:id] end test "modifying the parameters" do @params[:person][:hometown] = "Chicago" @params[:person][:family] = { brother: "Jonas" } assert_equal "Chicago", @params[:person][:hometown] assert_equal "Jonas", @params[:person][:family][:brother] end test "permit is recursive" do @params.permit! assert @params.permitted? assert @params[:person].permitted? assert @params[:person][:name].permitted? assert @params[:person][:addresses][0].permitted? end test "permitted takes a default value when Parameters.permit_all_parameters is set" do begin ActionController::Parameters.permit_all_parameters = true params = ActionController::Parameters.new(person: { age: "32", name: { first: "David", last: "Heinemeier Hansson" } }) assert params.slice(:person).permitted? assert params[:person][:name].permitted? ensure ActionController::Parameters.permit_all_parameters = false end end test "permitting parameters as an array" do assert_equal "32", @params[:person].permit([ :age ])[:age] end test "to_h returns empty hash on unpermitted params" do assert @params.to_h.is_a? ActiveSupport::HashWithIndifferentAccess assert_not @params.to_h.is_a? ActionController::Parameters assert @params.to_h.empty? end test "to_h returns converted hash on permitted params" do @params.permit! assert @params.to_h.is_a? ActiveSupport::HashWithIndifferentAccess assert_not @params.to_h.is_a? ActionController::Parameters end test "to_h returns converted hash when .permit_all_parameters is set" do begin ActionController::Parameters.permit_all_parameters = true params = ActionController::Parameters.new(crab: "Senjougahara Hitagi") assert params.to_h.is_a? ActiveSupport::HashWithIndifferentAccess assert_not @params.to_h.is_a? ActionController::Parameters assert_equal({ "crab" => "Senjougahara Hitagi" }, params.to_h) ensure ActionController::Parameters.permit_all_parameters = false end end test "to_h returns always permitted parameter on unpermitted params" do params = ActionController::Parameters.new( controller: "users", action: "create", user: { name: "Sengoku Nadeko" } ) assert_equal({ "controller" => "users", "action" => "create" }, params.to_h) end test "to_unsafe_h returns unfiltered params" do assert @params.to_unsafe_h.is_a? ActiveSupport::HashWithIndifferentAccess assert_not @params.to_unsafe_h.is_a? ActionController::Parameters end test "to_unsafe_h returns unfiltered params even after accessing few keys" do params = ActionController::Parameters.new("f"=>{ "language_facet"=>["Tibetan"] }) expected = { "f"=>{ "language_facet"=>["Tibetan"] } } assert params["f"].is_a? ActionController::Parameters assert_equal expected, params.to_unsafe_h end test "to_h only deep dups Ruby collections" do company = Class.new do attr_reader :dupped def dup; @dupped = true; end end.new params = ActionController::Parameters.new(prem: { likes: %i( dancing ) }) assert_equal({ "prem" => { "likes" => %i( dancing ) } }, params.permit!.to_h) params = ActionController::Parameters.new(companies: [ company, :acme ]) assert_equal({ "companies" => [ company, :acme ] }, params.permit!.to_h) assert_not company.dupped end test "to_unsafe_h only deep dups Ruby collections" do company = Class.new do attr_reader :dupped def dup; @dupped = true; end end.new params = ActionController::Parameters.new(prem: { likes: %i( dancing ) }) assert_equal({ "prem" => { "likes" => %i( dancing ) } }, params.to_unsafe_h) params = ActionController::Parameters.new(companies: [ company, :acme ]) assert_equal({ "companies" => [ company, :acme ] }, params.to_unsafe_h) assert_not company.dupped end test "include? returns true when the key is present" do assert @params.include? :person assert @params.include? "person" assert_not @params.include? :gorilla end test "scalar values should be filtered when array or hash is specified" do params = ActionController::Parameters.new(foo: "bar") assert params.permit(:foo).has_key?(:foo) refute params.permit(foo: []).has_key?(:foo) refute params.permit(foo: [:bar]).has_key?(:foo) refute params.permit(foo: :bar).has_key?(:foo) end test "#permitted? is false by default" do params = ActionController::Parameters.new assert_equal false, params.permitted? end end