From be6dd1c705551823db13b47ca76b0a6540e21135 Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@shopify.com>
Date: Thu, 18 Feb 2021 13:17:08 -0500
Subject: [PATCH] Prevent string polymorphic route arguments

url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.

CVE-2021-22885
---
 .../action_dispatch/routing/polymorphic_routes.rb    | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
index 6da869c..84b78e1 100644
--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
+++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
@@ -288,10 +288,12 @@ module ActionDispatch
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else
-- 
2.23.0