Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Stop fetch from mutating when default is a hash #102

wants to merge 1 commit into from

4 participants


See gh-56 for an issue on this


This line makes me uneasy. It's needed for the "sticky" tests to pass but I feel like the Parameters were permitted then we dropped new data via a default hash, which hasn't been checked. Maybe that's OK because you are in control since they are defaults?


Huge +1 This has been a really annoying bug.


@bemurphy Could you get the tests passing again?


First, we need to fix this issue on rails/rails, after this we can merge it on the gem.


I resubmitted this to rails, it's merged here: rails/rails#12656

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 19, 2013
  1. @bemurphy

    Stop fetch from mutating when default is a hash

    bemurphy authored
    See gh-56 for an issue on this
This page is out of date. Refresh to see the latest.
9 lib/action_controller/parameters.rb
@@ -79,7 +79,14 @@ def [](key)
def fetch(key, *args)
- convert_hashes_to_parameters(key, super)
+ value = super
+ # Don't rely on +convert_hashes_to_parameters+
+ # so as to not mutate via a +fetch+
+ if value.is_a?(Hash)
+ value =
+ value.permit! if permitted?
+ end
+ value
rescue KeyError, IndexError
7 test/parameters_taint_test.rb
@@ -22,6 +22,13 @@ class ParametersTaintTest < ActiveSupport::TestCase
+ test "fetch where the default is a hash will not mutate the instance" do
+ @params.fetch :foo, {}
+ assert !@params.has_key?(:foo)
+ @params.fetch :foo, {:fizz => :buzz}
+ assert !@params.has_key?(:foo)
+ end
test "not permitted is sticky on accessors" do
assert !@params.slice(:person).permitted?
assert !@params[:person][:name].permitted?
Something went wrong with that request. Please try again.