Permalink
Browse files

store enum mapping using `Strings` instead of `Symbols`.

This allows to assign both `String` and `Symbol` values to the enum
without having to call `to_sym`, which is a security problem.
  • Loading branch information...
senny committed Nov 5, 2013
1 parent 6c720d1 commit 44406d1e77061ce22effaae4698918c1f9f6271a
Showing with 9 additions and 3 deletions.
  1. +2 −1 activerecord/lib/active_record/enum.rb
  2. +7 −2 activerecord/test/cases/enum_test.rb
@@ -43,6 +43,7 @@ def enum(definitions)
_enum_methods_module.module_eval do
# def direction=(value) self[:direction] = DIRECTION[value] end
define_method("#{name}=") { |value|
+ value = value.to_s
unless enum_values.has_key?(value)
raise ArgumentError, "'#{value}' is not a valid #{name}"
end
@@ -54,7 +55,7 @@ def enum(definitions)
pairs = values.respond_to?(:each_pair) ? values.each_pair : values.each_with_index
pairs.each do |value, i|
- enum_values[value] = i
+ enum_values[value.to_s] = i
# scope :incoming, -> { where direction: 0 }
klass.scope value, -> { klass.where name => i }
@@ -17,8 +17,8 @@ class EnumTest < ActiveRecord::TestCase
end
test "query state with symbol" do
- assert_equal :proposed, @book.status
- assert_equal :unread, @book.read_status
+ assert_equal "proposed", @book.status
+ assert_equal "unread", @book.read_status
end
test "find via scope" do
@@ -46,6 +46,11 @@ class EnumTest < ActiveRecord::TestCase
assert @book.written?
end
+ test "assign string value" do
+ @book.status = "written"
+ assert @book.written?
+ end
+
test "assign non existing value raises an error" do
e = assert_raises(ArgumentError) do
@book.status = :unknown

4 comments on commit 44406d1

@jordimassaguerpla

This comment has been minimized.

Show comment Hide comment
@jordimassaguerpla

jordimassaguerpla Dec 4, 2013

I've found this commit with the gems-status software (github.com/jordimassaguerpla/gems-status) why is that a security problem? And if so, why has not yet been released and assigned a CVE entry?

I've found this commit with the gems-status software (github.com/jordimassaguerpla/gems-status) why is that a security problem? And if so, why has not yet been released and assigned a CVE entry?

@rafaelfranca

This comment has been minimized.

Show comment Hide comment
@rafaelfranca

rafaelfranca Dec 4, 2013

Owner

@jordimassaguerpla normally to_sym can be a security problem, in this case it is not. The commit message talk about this possibility, not about a problem.

Owner

rafaelfranca replied Dec 4, 2013

@jordimassaguerpla normally to_sym can be a security problem, in this case it is not. The commit message talk about this possibility, not about a problem.

@carlosantoniodasilva

This comment has been minimized.

Show comment Hide comment
@carlosantoniodasilva

carlosantoniodasilva Dec 4, 2013

Owner

@jordimassaguerpla this is a master feature only, so there's nothing possibly wrong with it to worry about. Thanks.

@jordimassaguerpla this is a master feature only, so there's nothing possibly wrong with it to worry about. Thanks.

@jordimassaguerpla

This comment has been minimized.

Show comment Hide comment
@jordimassaguerpla

jordimassaguerpla Dec 4, 2013

thanks for your comments.

thanks for your comments.

Please sign in to comment.