Fix unsafe query generation risk.

Redo of CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155

CVE-2016-6317

Author: tenderlove

actionpack/test/dispatch/request/json_params_parsing_test.rb

@@ -84,7 +84,50 @@ def teardown
     end
   end
 
+  test "prevent null query" do
+    # Make sure we have data to find
+    klass = Class.new(ActiveRecord::Base) do
+      def self.name; 'Foo'; end
+      establish_connection adapter: "sqlite3", database: ":memory:"
+      connection.create_table "foos" do |t|
+        t.string :title
+        t.timestamps null: false
+      end
+    end
+    klass.create
+    assert klass.first
+
+    app = ActionDispatch::ParamsParser.new ->(env) {
+      request = ActionDispatch::Request.new env
+      params = ActionController::Parameters.new request.parameters
+      if params[:t]
+        klass.find_by_title(params[:t])
+      else
+        nil
+      end
+    }
+
+    assert_nil app.call(make_env({ 't' => nil }))
+    assert_nil app.call(make_env({ 't' => [nil] }))
+
+    [[[nil]], [[[nil]]]].each do |data|
+      assert_deprecated do
+        assert_nil app.call(make_env({ 't' => data }))
+      end
+    end
+  end
+
   private
+    def make_env json
+      data = JSON.dump json
+      content_length = data.length
+      {
+        'CONTENT_LENGTH' => content_length,
+        'CONTENT_TYPE'   => 'application/json',
+        'rack.input'     => StringIO.new(data)
+      }
+    end
+
     def assert_parses(expected, actual, headers = {})
       with_test_routing do
         post "/parse", actual, headers

activerecord/lib/active_record/relation/predicate_builder/array_handler.rb

@@ -14,7 +14,8 @@ def call(attribute, value)
             it for 'IN' conditions.
           MSG
 
-          values = values.flatten
+          flat_values = values.flatten
+          values = flat_values unless flat_values.include?(nil)
         end
 
         return attribute.in([]) if values.empty? && nils.empty?