Handle path_params gracefully when a user sends ?path_params=string

In some cases, params are passed into url_for, causing path_params
to be sent unintentionally. It is possible to both send a string,
causing a 500 error, or send a hash: ?path_params[inject]=string.

I spent some time before posting this reviewing whether it was
possible to exploit the fact that path_params can be sent in query
params, but I don't believe there to be a vulnerability. Although
it is probably good practice to scrub this key when sending
params to url_for just to be sure.

Author: martinemde

actionpack/lib/action_dispatch/journey/formatter.rb

@@ -60,8 +60,13 @@ def message
 
       def generate(name, options, path_parameters)
         original_options = options.dup
-        path_params = options.delete(:path_params) || {}
-        options = path_params.merge(options)
+        path_params = options.delete(:path_params)
+        if path_params.is_a?(Hash)
+          options = path_params.merge(options)
+        else
+          path_params = nil
+          options = options.dup
+        end
         constraints = path_parameters.merge(options)
         missing_keys = nil
 
@@ -79,7 +84,7 @@ def generate(name, options, path_parameters)
             # top-level params' normal behavior of generating query_params should be
             # preserved even if the same key is also a bind_param
             parameterized_parts.key?(key) || route.defaults.key?(key) ||
-              (path_params.key?(key) && !original_options.key?(key))
+              (path_params&.key?(key) && !original_options.key?(key))
           end
 
           defaults       = route.defaults

actionpack/test/controller/url_for_integration_test.rb

@@ -87,6 +87,9 @@ def setup
       ["/blog/2009", [     { controller: "posts", action: "show_date", year: 2009 }]],
       ["/blog/2009/1", [   { controller: "posts", action: "show_date", year: 2009, month: 1 }]],
       ["/blog/2009/1/1", [ { controller: "posts", action: "show_date", year: 2009, month: 1, day: 1 }]],
+      ["/blog/2009/1/1", [ { controller: "posts", action: "show_date", path_params: { year: 2009, month: 1, day: 1 } }]],
+      ["/blog/2009", [ { controller: "posts", action: "show_date", year: 2009, path_params: { year: 2024 } }]],
+      ["/blog/2009", [ { controller: "posts", action: "show_date", year: 2009, path_params: "ignores_a_string" }]],
 
       ["/archive/2010", [ { controller: "archive", action: "index", year: "2010" }]],
       ["/archive", [      { controller: "archive", action: "index" }]],