Return self when calling #each, #each_pair, and #each_value instead o…

…f the raw @parameters hash [CVE-2020-8164]
rails · May 15, 2020 · b3230c5 · b3230c5
1 parent 17507e8
commit b3230c5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -344,6 +344,8 @@ def each_pair(&block)
       @parameters.each_pair do |key, value|
         yield [key, convert_hashes_to_parameters(key, value)]
       end
+
+      self
     end
     alias_method :each, :each_pair
 
@@ -353,6 +355,8 @@ def each_value(&block)
       @parameters.each_pair do |key, value|
         yield convert_hashes_to_parameters(key, value)
       end
+
+      self
     end
 
     # Attribute that keeps track of converted arrays, if any, to avoid double

diff --git a/actionpack/test/controller/parameters/accessors_test.rb b/actionpack/test/controller/parameters/accessors_test.rb
@@ -19,6 +19,18 @@ class ParametersAccessorsTest < ActiveSupport::TestCase
     )
   end
 
+  test "each returns self" do
+    assert_same @params, @params.each { |_| _ }
+  end
+
+  test "each_pair returns self" do
+    assert_same @params, @params.each_pair { |_| _ }
+  end
+
+  test "each_value returns self" do
+    assert_same @params, @params.each_value { |_| _ }
+  end
+
   test "[] retains permitted status" do
     @params.permit!
     assert_predicate @params[:person], :permitted?