|
 |
cf260a |
From 5dc869dc73bcbe0b3dd415f257cf175015c4d014 Mon Sep 17 00:00:00 2001
|
|
|
cf260a |
From: Andrew White <andyw@pixeltrix.co.uk>
|
|
|
cf260a |
Date: Fri, 27 Nov 2015 13:46:46 +0000
|
|
|
cf260a |
Subject: [PATCH] Don't short-circuit reject_if proc
|
|
|
cf260a |
|
|
|
cf260a |
When updating an associated record via nested attribute hashes the
|
|
|
cf260a |
reject_if proc could be bypassed if the _destroy flag was set in the
|
|
|
cf260a |
attribute hash and allow_destroy was set to false.
|
|
|
cf260a |
|
|
|
cf260a |
The fix is to only short-circuit if the _destroy flag is set and the
|
|
|
cf260a |
option allow_destroy is set to true. It also fixes an issue where
|
|
|
cf260a |
a new record wasn't created if _destroy was set and the option
|
|
|
cf260a |
allow_destroy was set to false.
|
|
|
cf260a |
|
|
|
cf260a |
CVE-2015-7577
|
|
|
cf260a |
---
|
|
|
cf260a |
activerecord/lib/active_record/nested_attributes.rb | 14 ++++++++++++--
|
|
|
cf260a |
activerecord/test/cases/nested_attributes_test.rb | 13 +++++++++++++
|
|
|
cf260a |
2 files changed, 25 insertions(+), 2 deletions(-)
|
|
|
cf260a |
|
|
|
cf260a |
diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb
|
|
|
cf260a |
index c87a837..e421600 100644
|
|
|
cf260a |
--- a/activerecord/test/cases/nested_attributes_test.rb
|
|
|
cf260a |
+++ b/activerecord/test/cases/nested_attributes_test.rb
|
|
|
cf260a |
@@ -161,6 +161,19 @@ class TestNestedAttributesInGeneral < ActiveRecord::TestCase
|
|
|
cf260a |
assert man.reload.interests.empty?
|
|
|
cf260a |
end
|
|
|
cf260a |
|
|
|
cf260a |
+ def test_reject_if_is_not_short_circuited_if_allow_destroy_is_false
|
|
|
cf260a |
+ Pirate.accepts_nested_attributes_for :ship, reject_if: ->(a) { a[:name] == "The Golden Hind" }, allow_destroy: false
|
|
|
cf260a |
+
|
|
|
cf260a |
+ pirate = Pirate.create!(catchphrase: "Stop wastin' me time", ship_attributes: { name: "White Pearl", _destroy: "1" })
|
|
|
cf260a |
+ assert_equal "White Pearl", pirate.reload.ship.name
|
|
|
cf260a |
+
|
|
|
cf260a |
+ pirate.update!(ship_attributes: { id: pirate.ship.id, name: "The Golden Hind", _destroy: "1" })
|
|
|
cf260a |
+ assert_equal "White Pearl", pirate.reload.ship.name
|
|
|
cf260a |
+
|
|
|
cf260a |
+ pirate.update!(ship_attributes: { id: pirate.ship.id, name: "Black Pearl", _destroy: "1" })
|
|
|
cf260a |
+ assert_equal "Black Pearl", pirate.reload.ship.name
|
|
|
cf260a |
+ end
|
|
|
cf260a |
+
|
|
|
cf260a |
def test_has_many_association_updating_a_single_record
|
|
|
cf260a |
Man.accepts_nested_attributes_for(:interests)
|
|
|
cf260a |
man = Man.create(name: 'John')
|
|
|
cf260a |
--
|
|
|
cf260a |
2.4.9 (Apple Git-60)
|
|
|
cf260a |
|