mongoid 9.0.8 → 9.0.10

data/spec/mongoid/association/referenced/has_many/enumerable_spec.rb

@@ -1819,6 +1819,400 @@ describe Mongoid::Association::Referenced::HasMany::Enumerable do
     end
   end
 
+  describe '#pluck' do
+    let(:person) do
+      Person.create!
+    end
+
+    let!(:post) do
+      Post.create!(person_id: person.id, title: 'Test Title')
+    end
+
+    let(:base) { Person }
+    let(:association) { Person.relations[:posts] }
+
+    let(:criteria) do
+      Post.where(person_id: person.id)
+    end
+
+    context 'when the enumerable is not loaded' do
+      let!(:enumerable) do
+        described_class.new(criteria, base, association)
+      end
+
+      context 'when the criteria is present' do
+        it 'delegates to the criteria pluck method' do
+          result = enumerable.pluck(:title)
+          expect(result).to eq(['Test Title'])
+        end
+
+        context 'when added docs are present' do
+          it 'combines the results from the criteria and the added docs' do
+            added_post = Post.new(title: 'Added Title', person_id: person.id)
+            enumerable << added_post
+
+            expect(criteria).to receive(:pluck).with(:title).and_return(['Test Title'])
+            result = enumerable.pluck(:title)
+            expect(result).to eq(['Test Title', 'Added Title'])
+          end
+        end
+      end
+
+      context 'when the criteria is not present' do
+        let(:enumerable) { described_class.new([], base, association) }
+
+        it 'returns nothing' do
+          result = enumerable.pluck(:title)
+          expect(result).to eq([])
+        end
+
+        context 'when added docs are present' do
+          it 'returns the values from the added docs' do
+            added_post = Post.new(title: 'Added Title', person_id: person.id)
+            enumerable << added_post
+
+            result = enumerable.pluck(:title)
+            expect(result).to eq(['Added Title'])
+          end
+        end
+      end
+    end
+
+    context 'when the enumerable is loaded' do
+      let(:enumerable) { described_class.new([post], base, association) }
+
+      it 'returns the values from the loaded documents' do
+        result = enumerable.pluck(:title)
+        expect(result).to eq(['Test Title'])
+      end
+
+      context 'when added docs are present' do
+        it 'returns the values from both loaded and added docs' do
+          added_post = Post.new(title: 'Added Title', person_id: person.id)
+          enumerable << added_post
+
+          result = enumerable.pluck(:title)
+          expect(result).to eq(['Test Title', 'Added Title'])
+        end
+      end
+    end
+  end
+
+  describe '#pluck with aliases' do
+    let!(:parent) do
+      Company.create!
+    end
+
+    context 'when the field is aliased' do
+      let!(:expensive) do
+        parent.products.create!(price: 100000)
+      end
+
+      let!(:cheap) do
+        parent.products.create!(price: 1)
+      end
+
+      context 'when using alias_attribute' do
+
+        let(:plucked) do
+          parent.products.pluck(:price)
+        end
+
+        it 'uses the aliases' do
+          expect(plucked).to eq([ 100000, 1 ])
+        end
+      end
+    end
+
+    context 'when plucking a localized field' do
+      with_default_i18n_configs
+
+      before do
+        I18n.locale = :en
+        p = parent.products.create!(name: 'english-text')
+        I18n.locale = :de
+        p.name = 'deutsch-text'
+        p.save!
+      end
+
+      context 'when plucking the entire field' do
+        let(:plucked) do
+          parent.products.all.pluck(:name)
+        end
+
+        let(:plucked_translations) do
+          parent.products.all.pluck(:name_translations)
+        end
+
+        let(:plucked_translations_both) do
+          parent.products.all.pluck(:name_translations, :name)
+        end
+
+        it 'returns the demongoized translations' do
+          expect(plucked.first).to eq('deutsch-text')
+        end
+
+        it 'returns the full translations hash to _translations' do
+          expect(plucked_translations.first).to eq({'de'=>'deutsch-text', 'en'=>'english-text'})
+        end
+
+        it 'returns both' do
+          expect(plucked_translations_both.first).to eq([{'de'=>'deutsch-text', 'en'=>'english-text'}, 'deutsch-text'])
+        end
+      end
+
+      context 'when plucking a specific locale' do
+
+        let(:plucked) do
+          parent.products.all.pluck(:'name.de')
+        end
+
+        it 'returns the specific translations' do
+          expect(plucked.first).to eq('deutsch-text')
+        end
+      end
+
+      context 'when plucking a specific locale from _translations field' do
+
+        let(:plucked) do
+          parent.products.all.pluck(:'name_translations.de')
+        end
+
+        it 'returns the specific translations' do
+          expect(plucked.first).to eq('deutsch-text')
+        end
+      end
+
+      context 'when fallbacks are enabled with a locale list' do
+        require_fallbacks
+
+        before do
+          I18n.fallbacks[:he] = [ :en ]
+        end
+
+        let(:plucked) do
+          parent.products.all.pluck(:name).first
+        end
+
+        it 'correctly uses the fallback' do
+          I18n.locale = :en
+          parent.products.create!(name: 'english-text')
+          I18n.locale = :he
+          expect(plucked).to eq 'english-text'
+        end
+      end
+
+      context 'when the localized field is aliased' do
+        before do
+          I18n.locale = :en
+          parent.products.delete_all
+          p = parent.products.create!(name: 'ACME Rocket Skates', tagline: 'english-text')
+          I18n.locale = :de
+          p.tagline = 'deutsch-text'
+          p.save!
+        end
+
+        context 'when plucking the entire field' do
+          let(:plucked) do
+            parent.products.all.pluck(:tagline)
+          end
+
+          let(:plucked_unaliased) do
+            parent.products.all.pluck(:tl)
+          end
+
+          let(:plucked_translations) do
+            parent.products.all.pluck(:tagline_translations)
+          end
+
+          let(:plucked_translations_both) do
+            parent.products.all.pluck(:tagline_translations, :tagline)
+          end
+
+          it 'returns the demongoized translations' do
+            expect(plucked.first).to eq('deutsch-text')
+          end
+
+          it 'returns the demongoized translations when unaliased' do
+            expect(plucked_unaliased.first).to eq('deutsch-text')
+          end
+
+          it 'returns the full translations hash to _translations' do
+            expect(plucked_translations.first).to eq({ 'de' => 'deutsch-text', 'en' => 'english-text' })
+          end
+
+          it 'returns both' do
+            expect(plucked_translations_both.first).to eq([{ 'de' => 'deutsch-text', 'en' => 'english-text' }, 'deutsch-text'])
+          end
+        end
+
+        context 'when plucking a specific locale' do
+
+          let(:plucked) do
+            parent.products.all.pluck(:'tagline.de')
+          end
+
+          it 'returns the specific translations' do
+            expect(plucked.first).to eq('deutsch-text')
+          end
+        end
+
+        context 'when plucking a specific locale from _translations field' do
+
+          let(:plucked) do
+            parent.products.all.pluck(:'tagline_translations.de')
+          end
+
+          it 'returns the specific translations' do
+            expect(plucked.first).to eq('deutsch-text')
+          end
+        end
+
+        context 'when fallbacks are enabled with a locale list' do
+          require_fallbacks
+
+          before do
+            I18n.fallbacks[:he] = [:en]
+          end
+
+          let(:plucked) do
+            parent.products.all.pluck(:tagline).first
+          end
+
+          it 'correctly uses the fallback' do
+            I18n.locale = :en
+            parent.products.create!(tagline: 'english-text')
+            I18n.locale = :he
+            expect(plucked).to eq 'english-text'
+          end
+        end
+      end
+
+      context 'when the localized field is embedded' do
+        with_default_i18n_configs
+
+        before do
+          s = Seo.new
+          I18n.locale = :en
+          s.name = 'english-text'
+          I18n.locale = :de
+          s.name = 'deutsch-text'
+
+          parent.products.delete_all
+          parent.products.create!(name: 'ACME Tunnel Paint', seo: s)
+        end
+
+        let(:plucked) do
+          parent.products.pluck('seo.name').first
+        end
+
+        let(:plucked_translations) do
+          parent.products.pluck('seo.name_translations').first
+        end
+
+        let(:plucked_translations_field) do
+          parent.products.pluck('seo.name_translations.en').first
+        end
+
+        it 'returns the translation for the current locale' do
+          expect(plucked).to eq('deutsch-text')
+        end
+
+        it 'returns the full _translation hash' do
+          expect(plucked_translations).to eq({ 'en' => 'english-text', 'de' => 'deutsch-text' })
+        end
+
+        it 'returns the translation for the requested locale' do
+          expect(plucked_translations_field).to eq('english-text')
+        end
+      end
+    end
+
+    context 'when the localized field is embedded and aliased' do
+      with_default_i18n_configs
+
+      before do
+        s = Seo.new
+        I18n.locale = :en
+        s.description = 'english-text'
+        I18n.locale = :de
+        s.description = 'deutsch-text'
+
+        parent.products.delete_all
+        parent.products.create!(name: 'ACME Tunnel Paint', seo: s)
+      end
+
+      let(:plucked) do
+        parent.products.pluck('seo.description').first
+      end
+
+      let(:plucked_unaliased) do
+        parent.products.pluck('seo.desc').first
+      end
+
+      let(:plucked_translations) do
+        parent.products.pluck('seo.description_translations').first
+      end
+
+      let(:plucked_translations_field) do
+        parent.products.pluck('seo.description_translations.en').first
+      end
+
+      it 'returns the translation for the current locale' do
+        I18n.with_locale(:en) do
+          expect(plucked).to eq('english-text')
+        end
+      end
+
+      it 'returns the translation for the current locale when unaliased' do
+        I18n.with_locale(:en) do
+          expect(plucked_unaliased).to eq('english-text')
+        end
+      end
+
+      it 'returns the full _translation hash' do
+        expect(plucked_translations).to eq({ 'en' => 'english-text', 'de' => 'deutsch-text' })
+      end
+
+      it 'returns the translation for the requested locale' do
+        expect(plucked_translations_field).to eq('english-text')
+      end
+    end
+
+    context 'when plucking an embedded field' do
+      let(:label) { Label.new(sales: '1E2') }
+      let!(:band) { Band.create!(label: label) }
+
+      let(:plucked) { Band.where(_id: band.id).pluck('label.sales') }
+
+      it 'demongoizes the field' do
+        expect(plucked).to eq([ BigDecimal('1E2') ])
+      end
+    end
+
+    context 'when plucking an embeds_many field' do
+      let(:label) { Label.new(sales: '1E2') }
+      let!(:band) { Band.create!(labels: [label]) }
+
+      let(:plucked) { Band.where(_id: band.id).pluck('labels.sales') }
+
+      it 'demongoizes the field' do
+        expect(plucked.first).to eq([ BigDecimal('1E2') ])
+      end
+    end
+
+    context 'when plucking a nonexistent embedded field' do
+      let(:label) { Label.new(sales: '1E2') }
+      let!(:band) { Band.create!(label: label) }
+
+      let(:plucked) { Band.where(_id: band.id).pluck('label.qwerty') }
+
+      it 'returns nil' do
+        expect(plucked.first).to eq(nil)
+      end
+    end
+  end
+
   describe "#reset" do
 
     let(:person) do

data/spec/mongoid/attributes_spec.rb

@@ -1729,6 +1729,19 @@ describe Mongoid::Attributes do
         end
       end
     end
+
+    context 'when map_big_decimal_to_decimal128 is enabled' do
+      config_override :map_big_decimal_to_decimal128, true
+
+      context 'when writing an identical number' do
+        let(:band) { Band.create!(name: 'Nirvana', sales: 123456.78).reload }
+
+        it 'does not mark the document as changed' do
+          band.sales = 123456.78
+          expect(band.changed?).to be false
+        end
+      end
+    end
   end
 
   describe "#typed_value_for" do
@@ -2709,7 +2722,23 @@ describe Mongoid::Attributes do
     end
   end
 
-  context "when modifiying a set referenced with the [] notation" do
+  context "when accessing an embedded document with the attribute accessor" do
+    let(:band) { Band.create! }
+
+    before do
+      Band.where(id: band.id).update_all({
+        :$push => {records: { _id: BSON::ObjectId.new }}
+      })
+    end
+
+    it "does not throw a conflicting update error" do
+      b1 = Band.find(band.id)
+      b1[:records].is_a?(Array).should be true
+      expect { b1.save! }.not_to raise_error
+    end
+  end
+
+  context "when modifying a set referenced with the [] notation" do
     let(:catalog) { Catalog.create!(set_field: [ 1 ].to_set) }
 
     before do

data/spec/mongoid/clients/factory_spec.rb

@@ -30,6 +30,34 @@ describe Mongoid::Clients::Factory do
     end
   end
 
+  shared_examples_for 'includes rails wrapping library' do
+    context 'when Rails is available' do
+      around do |example|
+        rails_was_defined = defined?(::Rails)
+
+        if !rails_was_defined
+          module ::Rails
+            def self.version
+              '6.1.0'
+            end
+          end
+        end
+
+        example.run
+
+        if !rails_was_defined
+          Object.send(:remove_const, :Rails) if defined?(::Rails)
+        end
+      end
+
+      it 'adds Rails as another wrapping library' do
+        expect(client.options[:wrapping_libraries]).to include(
+          {'name' => 'Rails', 'version' => '6.1.0'},
+        )
+      end
+    end
+  end
+
   describe ".create" do
 
     context "when provided a name" do
@@ -89,6 +117,8 @@ describe Mongoid::Clients::Factory do
               Mongoid::Clients::Factory::MONGOID_WRAPPING_LIBRARY)]
           end
 
+          it_behaves_like 'includes rails wrapping library'
+
           context 'when configuration specifies a wrapping library' do
 
             let(:config) do
@@ -110,6 +140,8 @@ describe Mongoid::Clients::Factory do
                 {'name' => 'Foo'},
               ]
             end
+
+            it_behaves_like 'includes rails wrapping library'
           end
         end
 

data/spec/mongoid/criteria_spec.rb

@@ -3250,5 +3250,201 @@ describe Mongoid::Criteria do
         expect(criteria.selector).to eq({ 'name' => 'Songs Ohia' })
       end
     end
+
+    context 'with allowed methods' do
+      context 'when using multiple query methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            limit: 10,
+            skip: 5,
+            order_by: { name: 1 }
+          }
+        end
+
+        it 'applies all methods successfully' do
+          expect(criteria.selector).to eq({ 'active' => true })
+          expect(criteria.options[:limit]).to eq(10)
+          expect(criteria.options[:skip]).to eq(5)
+          expect(criteria.options[:sort]).to eq({ 'name' => 1 })
+        end
+      end
+
+      context 'when using query selector methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            gt: { members: 2 },
+            in: { genre: ['rock', 'metal'] }
+          }
+        end
+
+        it 'applies selector methods' do
+          expect(criteria.selector['members']).to eq({ '$gt' => 2 })
+          expect(criteria.selector['genre']).to eq({ '$in' => ['rock', 'metal'] })
+        end
+      end
+
+      context 'when using aggregation methods' do
+        let(:hash) do
+          {
+            klass: Band,
+            project: { name: 1, members: 1 }
+          }
+        end
+
+        it 'applies aggregation methods' do
+          expect { criteria }.not_to raise_error
+        end
+      end
+    end
+
+    context 'with disallowed methods' do
+      context 'when attempting to call create' do
+        let(:hash) do
+          { klass: Band, create: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call create!' do
+        let(:hash) do
+          { klass: Band, 'create!': { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create!' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call build' do
+        let(:hash) do
+          { klass: Band, build: { name: 'Malicious' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'build' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call find' do
+        let(:hash) do
+          { klass: Band, find: 'some_id' }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'find' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call execute_or_raise' do
+        let(:hash) do
+          { klass: Band, execute_or_raise: ['id1', 'id2'] }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'execute_or_raise' is not allowed in from_hash")
+        end
+      end
+
+      context 'when attempting to call new' do
+        let(:hash) do
+          { klass: Band, new: { name: 'Test' } }
+        end
+
+        it 'raises ArgumentError' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'new' is not allowed in from_hash")
+        end
+      end
+
+      context 'when allowed method is combined with disallowed method' do
+        let(:hash) do
+          {
+            klass: Band,
+            where: { active: true },
+            create: { name: 'Malicious' }
+          }
+        end
+
+        it 'raises ArgumentError before executing any methods' do
+          expect { criteria }.to raise_error(ArgumentError, "Method 'create' is not allowed in from_hash")
+        end
+      end
+    end
+
+    context 'security validation' do
+      # This test ensures that ALL public methods not in the allowlist are blocked
+      it 'blocks all dangerous public methods' do
+        dangerous_methods = %i[
+          build create create! new
+          find find_or_create_by find_or_create_by! find_or_initialize_by
+          first_or_create first_or_create! first_or_initialize
+          execute_or_raise multiple_from_db for_ids
+          documents= inclusions= scoping_options=
+          initialize freeze as_json
+        ]
+
+        dangerous_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { described_class.from_hash(hash) }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in from_hash"
+          ), "Expected method '#{method}' to be blocked but it was allowed"
+        end
+      end
+
+      it 'blocks dangerous inherited methods from Object' do
+        # Critical security test: block send, instance_eval, etc.
+        inherited_dangerous = %i[
+          send __send__ instance_eval instance_exec
+          instance_variable_set method
+        ]
+
+        inherited_dangerous.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { described_class.from_hash(hash) }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in from_hash"
+          ), "Expected inherited method '#{method}' to be blocked"
+        end
+      end
+
+      it 'blocks Enumerable execution methods' do
+        # from_hash should build queries, not execute them
+        enumerable_methods = %i[each map select count sum]
+
+        enumerable_methods.each do |method|
+          hash = { klass: Band, method => 'arg' }
+          expect { described_class.from_hash(hash) }.to raise_error(
+            ArgumentError,
+            "Method '#{method}' is not allowed in from_hash"
+          ), "Expected Enumerable method '#{method}' to be blocked"
+        end
+      end
+
+      it 'allows all whitelisted methods' do
+        # Sample of allowed methods from each category
+        allowed_sample = {
+          where: { name: 'Test' },      # Query selector
+          limit: 10,                     # Query option
+          skip: 5,                       # Query option
+          gt: { age: 18 },              # Query selector
+          in: { status: ['active'] },   # Query selector
+          ascending: :name,              # Sorting
+          includes: :notes,            # Eager loading
+          merge: { klass: Band },        # Merge
+        }
+
+        allowed_sample.each do |method, args|
+          hash = { klass: Band, method => args }
+          expect { described_class.from_hash(hash) }.not_to raise_error,
+            "Expected method '#{method}' to be allowed but it was blocked"
+        end
+      end
+    end
   end
 end