Merge pull request rails#44844 from stefkin/acp-key-validation

gmcgibbon · web-flow · commit 39b7bf7a00fd · 2022-04-06T16:19:48.000-04:00
Only allow String and Symbol keys in ActionController::Parameters
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,9 @@
+*   Allow only String and Symbol keys in `ActionController::Parameters`.
+    Raise `ActionController::InvalidParameterKey` when initializing Parameters
+    with keys that aren't strings or symbols.
+
+    *Seva Stefkin*
+
 *   Add the ability to use custom logic for storing and retrieving CSRF tokens.
 
     By default, the token will be stored in the session.  Custom classes can be
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -64,6 +64,16 @@ def initialize # :nodoc:
     end
   end
 
+  # Raised when initializing Parameters with keys that aren't strings or symbols.
+  #
+  #   ActionController::Parameters.new(123 => 456)
+  #   # => ActionController::InvalidParameterKey: all keys must be Strings or Symbols
+  class InvalidParameterKey < ArgumentError
+    def initialize # :nodoc:
+      super("all keys must be Strings or Symbols")
+    end
+  end
+
   # == Action Controller \Parameters
   #
   # Allows you to choose which attributes should be permitted for mass updating
@@ -259,6 +269,8 @@ def nested_attribute?(key, value) # :nodoc:
     #   params.permitted?  # => true
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def initialize(parameters = {}, logging_context = {})
+      raise InvalidParameterKey unless parameters.keys.all? { |key| key.is_a?(String) || key.is_a?(Symbol) }
+
       @parameters = parameters.with_indifferent_access
       @logging_context = logging_context
       @permitted = self.class.permit_all_parameters
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -519,4 +519,10 @@ def dup; @dupped = true; end
 
     assert_equal false, params.permitted?
   end
+
+  test "only String and Symbol keys are allowed" do
+    assert_raises(ActionController::InvalidParameterKey) do
+      ActionController::Parameters.new({ foo: 1 } => :bar)
+    end
+  end
 end
