ActionDispatch::Http::UploadedFile is a permitted scalar [Closes #9051]

actionpack/lib/action_controller/metal/strong_parameters.rb

 require 'active_support/core_ext/hash/indifferent_access'
 require 'active_support/core_ext/array/wrap'
 require 'active_support/rescuable'
+require 'action_dispatch/http/upload'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -190,8 +191,9 @@ def require(key)
     #
     # +:name+ passes it is a key of +params+ whose associated value is of type
     # +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+,
-    # +Date+, +Time+, +DateTime+, +StringIO+, or +IO+. Otherwise, the key +:name+
-    # is filtered out.
+    # +Date+, +Time+, +DateTime+, +StringIO+, +IO+, or
+    # +ActionDispatch::Http::UploadedFile+. Otherwise, the key +:name+ is
+    # filtered out.
     #
     # You may declare that the parameter should be an array of permitted scalars
     # by mapping it to an empty array:
@@ -371,6 +373,7 @@ def unpermitted_keys(params)
         # DateTimes are Dates, we document the type but avoid the redundant check.
         StringIO,
         IO,
+        ActionDispatch::Http::UploadedFile,
       ]
 
       def permitted_scalar?(value)

actionpack/test/controller/parameters/parameters_permit_test.rb

 require 'abstract_unit'
+require 'action_dispatch/http/upload'
 require 'action_controller/metal/strong_parameters'
 
 class ParametersPermitTest < ActiveSupport::TestCase
@@ -31,7 +32,7 @@ def assert_filtered_out(params, key)
     values += [0, 1.0, 2**128, BigDecimal.new(1)]
     values += [true, false]
     values += [Date.today, Time.now, DateTime.now]
-    values += [StringIO.new]
+    values += [STDOUT, StringIO.new, ActionDispatch::Http::UploadedFile.new(tempfile: __FILE__)]
 
     values.each do |value|
       params = ActionController::Parameters.new(id: value)