File 0003-CVE-2021-22885.patch of Package rubygem-actionpack-5_1.27780

Overview Repositories Revisions Requests Users Attributes Meta

File 0003-CVE-2021-22885.patch of Package rubygem-actionpack-5_1.27780

From 3eb9e74c287750a9fe11f700fc96d3be1e83aa35 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@shopify.com>
Date: Thu, 18 Feb 2021 13:17:08 -0500
Subject: [PATCH] Prevent string polymorphic route arguments

url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.

CVE-2021-22885
---
 .../routing/polymorphic_routes.rb             | 12 +++--
 4 files changed, 79 insertions(+), 10 deletions(-)

diff --git a/lib/action_dispatch/routing/polymorphic_routes.rb b/lib/action_dispatch/routing/polymorphic_routes.rb
index 6da869c0c2..84b78e1cb2 100644
--- a/lib/action_dispatch/routing/polymorphic_routes.rb
+++ b/lib/action_dispatch/routing/polymorphic_routes.rb
@@ -286,10 +286,12 @@ def handle_list(list)
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
@@ -297,12 +299,14 @@ def handle_list(list)
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else

Places

File 0003-CVE-2021-22885.patch of Package rubygem-actionpack-5_1.27780

Places