Return self when calling #each, #each_pair, and #each_value instead o…

…f the raw @parameters hash [CVE-2020-8164]
rails · May 15, 2020 · 7a3ee4f · 7a3ee4f
1 parent e8df564
commit 7a3ee4f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -337,6 +337,8 @@ def each_pair(&block)
       @parameters.each_pair do |key, value|
         yield [key, convert_hashes_to_parameters(key, value)]
       end
+
+      self
     end
     alias_method :each, :each_pair
 

diff --git a/actionpack/test/controller/parameters/accessors_test.rb b/actionpack/test/controller/parameters/accessors_test.rb
@@ -20,6 +20,14 @@ class ParametersAccessorsTest < ActiveSupport::TestCase
     )
   end
 
+  test "each returns self" do
+    assert_same @params, @params.each { |_| _ }
+  end
+
+  test "each_pair returns self" do
+    assert_same @params, @params.each_pair { |_| _ }
+  end
+
   test "[] retains permitted status" do
     @params.permit!
     assert_predicate @params[:person], :permitted?
-Original file line number
+Diff line change
@@ Expand Up / @@ -337,6 +337,8 @@ def each_pair(&block) @@
           @parameters.each_pair do |key, value|
             yield [key, convert_hashes_to_parameters(key, value)]
           end
+          self
         end
         alias_method :each, :each_pair
@@ Expand Down @@