From 0a5dc63de12a452404be65ea0e7def1e3be19fc8 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <tonyarcieri@squareup.com>
Date: Sat, 19 Mar 2016 15:09:41 -0700
Subject: [PATCH] Check types more thoroughly when parsing ACLs

---
 lib/rails/auth/acl.rb       | 6 +++++-
 spec/rails/auth/acl_spec.rb | 6 ++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/rails/auth/acl.rb b/lib/rails/auth/acl.rb
index c8c5ea2..398bd4c 100644
--- a/lib/rails/auth/acl.rb
+++ b/lib/rails/auth/acl.rb
@@ -22,9 +22,13 @@ def self.from_yaml(yaml, **args)
       # @param [Hash] :matchers predicate matchers for use with this ACL
       #
       def initialize(acl, matchers: {})
+        raise TypeError, "expected Array for acl, got #{acl.class}" unless acl.is_a?(Array)
+
         @resources = []
 
-        acl.each_with_index do |entry|
+        acl.each do |entry|
+          raise TypeError, "expected Hash for acl entry, got #{entry.class}" unless entry.is_a?(Hash)
+
           resources = entry["resources"]
           raise ParseError, "no 'resources' key present in entry: #{entry.inspect}" unless resources
 
diff --git a/spec/rails/auth/acl_spec.rb b/spec/rails/auth/acl_spec.rb
index 5394bfe..4b5b500 100644
--- a/spec/rails/auth/acl_spec.rb
+++ b/spec/rails/auth/acl_spec.rb
@@ -11,6 +11,12 @@
     )
   end
 
+  describe "#initialize" do
+    it "raises TypeError if given a non-Array ACL type" do
+      expect { described_class.new(:bogus) }.to raise_error(TypeError)
+    end
+  end
+
   describe "#match" do
     it "matches routes against the ACL" do
       expect(example_acl.match(env_for(:get, "/"))).to eq true