Fix mass assignment vuln in comment update action (#2704).

Prevents mass assignment of `post_id`, `do_not_bump_post`, and `is_deleted`.
2016-10-06 09:14:34 +00:00
parent ab5fd48280
commit 8c8f4a6a8f
2 changed files with 23 additions and 1 deletions
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -23,7 +23,7 @@ class CommentsController < ApplicationController
  def update
    @comment = Comment.find(params[:id])
    check_privilege(@comment)
-    @comment.update_attributes(params[:comment])
+    @comment.update_attributes(params[:comment].permit(:body))
    respond_with(@comment, :location => post_path(@comment.post_id))
  end

--- a/test/functional/comments_controller_test.rb
+++ b/test/functional/comments_controller_test.rb
@@ -33,6 +33,28 @@ class CommentsControllerTest < ActionController::TestCase
        post :update, {:id => @comment.id, :comment => {:body => "abc"}}, {:user_id => @comment.creator_id}
        assert_redirected_to post_path(@comment.post)
      end
+
+      should "only allow changing the body" do
+        params = {
+          id: @comment.id,
+          comment: {
+            body: "herp derp",
+            do_not_bump_post: true,
+            is_deleted: true,
+            post_id: FactoryGirl.create(:post).id,
+          }
+        }
+
+        post :update, params, { :user_id => @comment.creator_id }
+        @comment.reload
+
+        assert_equal("herp derp", @comment.body)
+        assert_equal(false, @comment.do_not_bump_post)
+        assert_equal(false, @comment.is_deleted)
+        assert_equal(@post.id, @comment.post_id)
+
+        assert_redirected_to post_path(@post)
+      end
    end

    context "create action"do