From d2f3027294658a2d2c1e45c4cd9e5f5a6ff256c3 Mon Sep 17 00:00:00 2001 From: evazion Date: Wed, 19 Oct 2016 22:39:08 -0500 Subject: [PATCH 1/2] Add test for moving notes between posts. --- test/functional/notes_controller_test.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb index b93e2ac31..354736a01 100644 --- a/test/functional/notes_controller_test.rb +++ b/test/functional/notes_controller_test.rb @@ -47,6 +47,13 @@ class NotesControllerTest < ActionController::TestCase @note.reload assert_equal("xyz", @note.body) end + + should "not allow changing the post id to another post" do + @other = FactoryGirl.create(:post) + post :update, {:format => "json", :id => @note.id, :note => {:post_id => @other.id}}, {:user_id => @user.id} + + assert_not_equal(@other.id, @note.reload.post_id) + end end context "destroy action" do From 8df1496d281e4139ecd20171ea2940450027c7dd Mon Sep 17 00:00:00 2001 From: evazion Date: Wed, 19 Oct 2016 22:39:57 -0500 Subject: [PATCH 2/2] Fix vuln allowing users to move notes between posts. Prevents this from working: PUT /notes/1.json?note[post_id]=23 PUT /notes/1.json?note[post_id]=42 --- app/controllers/notes_controller.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index f73c451b1..e14060826 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -20,7 +20,7 @@ class NotesController < ApplicationController end def create - @note = Note.create(params[:note]) + @note = Note.create(create_params) respond_with(@note) do |fmt| fmt.json do if @note.errors.any? @@ -34,7 +34,7 @@ class NotesController < ApplicationController def update @note = Note.find(params[:id]) - @note.update_attributes(params[:note]) + @note.update_attributes(update_params) respond_with(@note) do |format| format.json do if @note.errors.any? @@ -60,6 +60,14 @@ class NotesController < ApplicationController end private + def update_params + params.require(:note).permit(:x, :y, :width, :height, :body) + end + + def create_params + params.require(:note).permit(:x, :y, :width, :height, :body, :post_id) + end + def pass_html_id if params[:note] && params[:note][:html_id] response.headers["X-Html-Id"] = params[:note][:html_id]