Merge pull request rails#51950 from zzak/51215-raise

Raise when using key which can't respond to `#to_sym` in EncryptedConfiguration

Author: byroot

activesupport/CHANGELOG.md

@@ -1,3 +1,9 @@
+*   Raise when using key which can't respond to `#to_sym` in `EncryptedConfiguration`.
+
+    As is the case when trying to use an Integer or Float as a key, which is unsupported.
+
+    *zzak*
+
 *   Deprecate addition and since between two `Time` and `ActiveSupport::TimeWithZone`.
 
     Previously adding time instances together such as `10.days.ago + 10.days.ago` or `10.days.ago.since(10.days.ago)` produced a nonsensical future date. This behavior is deprecated and will be removed in Rails 8.1.

activesupport/lib/active_support/encrypted_configuration.rb

@@ -43,6 +43,12 @@ def message
       end
     end
 
+    class InvalidKeyError < RuntimeError
+      def initialize(content_path, key)
+        super "Key '#{key}' is invalid, it must respond to '#to_sym' from configuration in '#{content_path}'."
+      end
+    end
+
     delegate_missing_to :options
 
     def initialize(config_path:, key_path:, env_key:, raise_if_missing_key:)
@@ -61,7 +67,11 @@ def read
     end
 
     def validate! # :nodoc:
-      deserialize(read)
+      deserialize(read).each_key do |key|
+        key.to_sym
+      rescue NoMethodError
+        raise InvalidKeyError.new(content_path, key)
+      end
     end
 
     # Returns the decrypted content as a Hash with symbolized keys.
@@ -73,14 +83,23 @@ def validate! # :nodoc:
     #   # => { some_secret: 123, some_namespace: { another_secret: 789 } }
     #
     def config
-      @config ||= deserialize(read).deep_symbolize_keys
+      @config ||= deep_symbolize_keys(deserialize(read))
     end
 
     def inspect # :nodoc:
       "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
     end
 
     private
+      def deep_symbolize_keys(hash)
+        hash.deep_symbolize_keys
+        hash.deep_transform_keys do |key|
+          key.to_sym
+        rescue NoMethodError
+          raise InvalidKeyError.new(content_path, key)
+        end
+      end
+
       def deep_transform(hash)
         return hash unless hash.is_a?(Hash)
 

activesupport/test/encrypted_configuration_test.rb

@@ -93,6 +93,42 @@ class EncryptedConfigurationTest < ActiveSupport::TestCase
     end
   end
 
+  test "raises helpful error when loading invalid content with unsupported keys" do
+    @credentials.write("42: value")
+
+    assert_raise(ActiveSupport::EncryptedConfiguration::InvalidKeyError, match: /Key '42' is invalid, it must respond to '#to_sym' from configuration in '#{@credentials_config_path}'./) do
+      @credentials.config
+    end
+
+    @credentials.write("42.0: value")
+    assert_raise(ActiveSupport::EncryptedConfiguration::InvalidKeyError, match: /Key '42.0' is invalid, it must respond to '#to_sym' from configuration in '#{@credentials_config_path}'./) do
+      @credentials.config
+    end
+
+    @credentials.write("Off: value")
+    assert_raise(ActiveSupport::EncryptedConfiguration::InvalidKeyError, match: /Key 'false' is invalid, it must respond to '#to_sym' from configuration in '#{@credentials_config_path}'./) do
+      @credentials.config
+    end
+  end
+
+  test "raises helpful error when validating invalid content with unsupported keys" do
+    @credentials.write("42: value")
+
+    assert_raise(ActiveSupport::EncryptedConfiguration::InvalidKeyError, match: /Key '42' is invalid, it must respond to '#to_sym' from configuration in '#{@credentials_config_path}'./) do
+      @credentials.validate!
+    end
+
+    @credentials.write("42.0: value")
+    assert_raise(ActiveSupport::EncryptedConfiguration::InvalidKeyError, match: /Key '42.0' is invalid, it must respond to '#to_sym' from configuration in '#{@credentials_config_path}'./) do
+      @credentials.validate!
+    end
+
+    @credentials.write("Off: value")
+    assert_raise(ActiveSupport::EncryptedConfiguration::InvalidKeyError, match: /Key 'false' is invalid, it must respond to '#to_sym' from configuration in '#{@credentials_config_path}'./) do
+      @credentials.validate!
+    end
+  end
+
   test "raises key error when accessing config via bang method" do
     assert_raise(KeyError) { @credentials.something! }
   end