Avoided modifying env

When `env` is used to create a request, trying to access the POST parameters causes `ActionDispatch::Request` to parse them into a hash and reassign them to `env`. While parsing is minimal, there is a possibility that it will try to [parse and convert times](https://github.com/rails/rails/blob/b9ca94caea2ca6a6cc09abaffaad67b447134079/activesupport/lib/active_support/json/decoding.rb#L22-L30), which is not idempotent. A simple way to avoid this is simply to call `env.dup` when creating the request.
cookpad · Jun 3, 2019 · 08d506c · 08d506c
1 parent b377533
commit 08d506c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/omniauth/rails_csrf_protection/token_verifier.rb b/lib/omniauth/rails_csrf_protection/token_verifier.rb
@@ -28,7 +28,7 @@ class TokenVerifier
       end
 
       def call(env)
-        @request = ActionDispatch::Request.new(env)
+        @request = ActionDispatch::Request.new(env.dup)
 
         unless verified_request?
           raise ActionController::InvalidAuthenticityToken