Skip to content
This repository
Browse code

stop calling to_sym when building arel nodes [CVE-2013-1854]

  • Loading branch information...
commit f980289fd2c1b9073a94b5d49b780a49f5e2933c 1 parent 4886991
Aaron Patterson authored
2  activerecord/lib/active_record/relation.rb
@@ -464,7 +464,7 @@ def where_values_hash
464 464
         node.left.relation.name == table_name
465 465
       }
466 466
 
467  
-      Hash[equalities.map { |where| [where.left.name, where.right] }]
  467
+      Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
468 468
     end
469 469
 
470 470
     def scope_for_create
2  activerecord/lib/active_record/relation/predicate_builder.rb
@@ -20,7 +20,7 @@ def self.build_from_hash(engine, attributes, default_table, allow_table_name = t
20 20
             table = Arel::Table.new(table_name, engine)
21 21
           end
22 22
 
23  
-          attribute = table[column.to_sym]
  23
+          attribute = table[column]
24 24
 
25 25
           case value
26 26
           when ActiveRecord::Relation
10  activerecord/test/cases/method_scoping_test.rb
@@ -212,14 +212,14 @@ def test_scope_for_create_only_uses_equal
212 212
     table = VerySpecialComment.arel_table
213 213
     relation = VerySpecialComment.scoped
214 214
     relation.where_values << table[:id].not_eq(1)
215  
-    assert_equal({:type => "VerySpecialComment"}, relation.send(:scope_for_create))
  215
+    assert_equal({'type' => "VerySpecialComment"}, relation.send(:scope_for_create))
216 216
   end
217 217
 
218 218
   def test_scoped_create
219 219
     new_comment = nil
220 220
 
221 221
     VerySpecialComment.send(:with_scope, :create => { :post_id => 1 }) do
222  
-      assert_equal({:post_id => 1, :type => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
  222
+      assert_equal({'post_id' => 1, 'type' => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
223 223
       new_comment = VerySpecialComment.create :body => "Wonderful world"
224 224
     end
225 225
 
@@ -228,7 +228,7 @@ def test_scoped_create
228 228
 
229 229
   def test_scoped_create_with_join_and_merge
230 230
     Comment.where(:body => "but Who's Buying?").joins(:post).merge(Post.where(:body => 'Peace Sells...')).with_scope do
231  
-      assert_equal({:body => "but Who's Buying?"}, Comment.scoped.scope_for_create)
  231
+      assert_equal({'body' => "but Who's Buying?"}, Comment.scoped.scope_for_create)
232 232
     end
233 233
   end
234 234
 
@@ -441,7 +441,7 @@ def test_nested_scoped_create
441 441
     comment = nil
442 442
     Comment.send(:with_scope, :create => { :post_id => 1}) do
443 443
       Comment.send(:with_scope, :create => { :post_id => 2}) do
444  
-        assert_equal({:post_id => 2}, Comment.scoped.send(:scope_for_create))
  444
+        assert_equal({'post_id' => 2}, Comment.scoped.send(:scope_for_create))
445 445
         comment = Comment.create :body => "Hey guys, nested scopes are broken. Please fix!"
446 446
       end
447 447
     end
@@ -453,7 +453,7 @@ def test_nested_exclusive_scope_for_create
453 453
 
454 454
     Comment.send(:with_scope, :create => { :body => "Hey guys, nested scopes are broken. Please fix!" }) do
455 455
       Comment.send(:with_exclusive_scope, :create => { :post_id => 1 }) do
456  
-        assert_equal({:post_id => 1}, Comment.scoped.send(:scope_for_create))
  456
+        assert_equal({'post_id' => 1}, Comment.scoped.send(:scope_for_create))
457 457
         assert_blank Comment.new.body
458 458
         comment = Comment.create :body => "Hey guys"
459 459
       end
6  activerecord/test/cases/relation_test.rb
@@ -71,7 +71,7 @@ def test_empty_where_values_hash
71 71
     def test_has_values
72 72
       relation = Relation.new Post, Post.arel_table
73 73
       relation.where_values << relation.table[:id].eq(10)
74  
-      assert_equal({:id => 10}, relation.where_values_hash)
  74
+      assert_equal({'id' => 10}, relation.where_values_hash)
75 75
     end
76 76
 
77 77
     def test_values_wrong_table
@@ -101,7 +101,7 @@ def test_scope_for_create
101 101
 
102 102
     def test_create_with_value
103 103
       relation = Relation.new Post, Post.arel_table
104  
-      hash = { :hello => 'world' }
  104
+      hash = { 'hello' => 'world' }
105 105
       relation.create_with_value = hash
106 106
       assert_equal hash, relation.scope_for_create
107 107
     end
@@ -110,7 +110,7 @@ def test_create_with_value_with_wheres
110 110
       relation = Relation.new Post, Post.arel_table
111 111
       relation.where_values << relation.table[:id].eq(10)
112 112
       relation.create_with_value = {:hello => 'world'}
113  
-      assert_equal({:hello => 'world', :id => 10}, relation.scope_for_create)
  113
+      assert_equal({'hello' => 'world', 'id' => 10}, relation.scope_for_create)
114 114
     end
115 115
 
116 116
     # FIXME: is this really wanted or expected behavior?

2 notes on commit f980289

Rob Sanheim

Also, a possible regression related to this commit: #9813

Please sign in to comment.
Something went wrong with that request. Please try again.