File 0003-CVE-2021-22885.patch of Package rubygem-actionpack-5_1.19566
From 3eb9e74c287750a9fe11f700fc96d3be1e83aa35 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@shopify.com>
Date: Thu, 18 Feb 2021 13:17:08 -0500
Subject: [PATCH] Prevent string polymorphic route arguments
url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.
CVE-2021-22885
---
.../routing/polymorphic_routes.rb | 12 +++--
4 files changed, 79 insertions(+), 10 deletions(-)
diff --git a/lib/action_dispatch/routing/polymorphic_routes.rb b/lib/action_dispatch/routing/polymorphic_routes.rb
index 6da869c0c2..84b78e1cb2 100644
--- a/lib/action_dispatch/routing/polymorphic_routes.rb
+++ b/lib/action_dispatch/routing/polymorphic_routes.rb
@@ -286,10 +286,12 @@ def handle_list(list)
args = []
- route = record_list.map { |parent|
+ route = record_list.map do |parent|
case parent
- when Symbol, String
+ when Symbol
parent.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
when Class
args << parent
parent.model_name.singular_route_key
@@ -297,12 +299,14 @@ def handle_list(list)
args << parent.to_model
parent.to_model.model_name.singular_route_key
end
- }
+ end
route <<
case record
- when Symbol, String
+ when Symbol
record.to_s
+ when String
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
when Class
@key_strategy.call record.model_name
else