From 8c8f4a6a8fb145cc57a66adff1eb923d96d6241b Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 6 Oct 2016 09:14:34 +0000 Subject: [PATCH] Fix mass assignment vuln in comment update action (#2704). Prevents mass assignment of `post_id`, `do_not_bump_post`, and `is_deleted`. --- app/controllers/comments_controller.rb | 2 +- test/functional/comments_controller_test.rb | 22 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 1c8745dae..5069221a2 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -23,7 +23,7 @@ class CommentsController < ApplicationController def update @comment = Comment.find(params[:id]) check_privilege(@comment) - @comment.update_attributes(params[:comment]) + @comment.update_attributes(params[:comment].permit(:body)) respond_with(@comment, :location => post_path(@comment.post_id)) end diff --git a/test/functional/comments_controller_test.rb b/test/functional/comments_controller_test.rb index 41fbeceb8..52d27b853 100644 --- a/test/functional/comments_controller_test.rb +++ b/test/functional/comments_controller_test.rb @@ -33,6 +33,28 @@ class CommentsControllerTest < ActionController::TestCase post :update, {:id => @comment.id, :comment => {:body => "abc"}}, {:user_id => @comment.creator_id} assert_redirected_to post_path(@comment.post) end + + should "only allow changing the body" do + params = { + id: @comment.id, + comment: { + body: "herp derp", + do_not_bump_post: true, + is_deleted: true, + post_id: FactoryGirl.create(:post).id, + } + } + + post :update, params, { :user_id => @comment.creator_id } + @comment.reload + + assert_equal("herp derp", @comment.body) + assert_equal(false, @comment.do_not_bump_post) + assert_equal(false, @comment.is_deleted) + assert_equal(@post.id, @comment.post_id) + + assert_redirected_to post_path(@post) + end end context "create action"do