parameters_taint_test.rb

require 'test_helper'
require 'action_controller/parameters'


class ParametersTaintTest < ActiveSupport::TestCase
  setup do
    @params = ActionController::Parameters.new({ :person=> { 
      :age=> "32", :name=> { :first=> "David", :last=> "Heinemeier" }
    }})
  end

  test "fetch raises ParameterMissing exception" do
    e = assert_raises(ActionController::ParameterMissing) do
      @params.fetch :foo
    end
    assert_equal :foo, e.param
  end

  test "fetch doesnt raise ParameterMissing exception if there is a default" do
    assert_nothing_raised do
      assert_equal "monkey", @params.fetch(:foo, "monkey")
      assert_equal "monkey", @params.fetch(:foo) { "monkey" }
    end
  end

  test "permitted is sticky on accessors" do
    assert !@params.slice(:person).permitted?
    assert !@params[:person][:name].permitted?

    @params.each { |key, value| assert(value.permitted?) if key == :person }

    assert !@params.fetch(:person).permitted?

    assert !@params.values_at(:person).first.permitted?
  end

  test "permitted is sticky on mutators" do
    assert !@params.delete_if { |k,v| k == :person }.permitted?
    #assert !@params.keep_if { |k,v| k == :person }.permitted?     ### keep_if is not present in 3.1,its a feature of Rails 3.2 . So commenting it out
  end

  test "deleting the parameters" do
    params = {:app_bundle => {"release_path"=>"test", 
                              "domain_name"=>"foo.bar.com", 
                              "name"=>"thenewapp", 
                              "repository_name"=>"https://repo2.com/branches", 
                              "supports_primary_user"=>"1"}}
    params = ActionController::Parameters.new(params)
    
    x = params[:app_bundle].delete(:repository_name)
    assert_equal "https://repo2.com/branches", x
    assert_nil params[:app_bundle]["repository_name"]
  end

  test "permitted is sticky beyond merges" do
    assert !@params.merge(:a=> "b").permitted?
  end

  test "modifying the parameters" do
    @params[:person][:hometown] = "Chicago"
    @params[:person][:family] = { :brother=> "Jonas" }
    assert_equal "Chicago", @params[:person][:hometown]
    assert_equal "Jonas", @params[:person][:family][:brother]
  end
  
  test "permitting parameters that are not there should not include the keys" do
    assert !@params.permit(:person, :funky).has_key?(:funky)
  end

  test "permit state is kept on a dup" do
    @params.permit!
    assert_equal @params.permitted?, @params.dup.permitted?
  end
end