Fix bug: ParameterFilter should not add keys (#3431) (#4457)

If called with a hash that has a `default` / `default_proc` configured, `Devise::ParameterFilter` can add in missing keys it was due to attempt to sanitise the values for. This patch prevents this from happening, whilst also clarifying the filtering intent of `ParamaterFilter`. (This can also occur if NilClass has been augmented with definitions for `strip` or `downcase`.) Fixes #3431.
heartcombo · May 15, 2018 · 31aceeb · 31aceeb
1 parent af8f7e9
commit 31aceeb
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/lib/devise/parameter_filter.rb b/lib/devise/parameter_filter.rb
@@ -18,6 +18,8 @@ def filter(conditions)
 
     def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
       condition_keys.each do |k|
+        next unless conditions.key?(k)
+
         value = conditions[k]
         conditions[k] = value.send(method) if value.respond_to?(method)
       end

diff --git a/test/models/database_authenticatable_test.rb b/test/models/database_authenticatable_test.rb
@@ -88,6 +88,13 @@ def setup
     assert_equal( {'strip_whitespace' => 'strip_whitespace_val', 'do_not_strip_whitespace' => ' do_not_strip_whitespace_val '}, conditions )
   end
 
+  test 'param filter should not add keys to filtered hash' do
+    conditions = { 'present' => 'present_val' }
+    conditions.default = ''
+    conditions = Devise::ParameterFilter.new(['not_present'], []).filter(conditions)
+    assert_equal({ 'present' => 'present_val' }, conditions)
+  end
+
   test 'should respond to password and password confirmation' do
     user = new_user
     assert user.respond_to?(:password)