jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2714 from evazion/fix-2704

Browse Source 
Fix mass assignment vuln to tag alias/implication status (partial fix for #2704).
This commit is contained in:
Albert Yi
2016-10-11 17:48:26 -07:00
committed by GitHub
parent 3479ad89c6 7e3284c87f
commit eaa0426c36
8 changed files with 106 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/tag_aliases_controller.rb
View File

@@ -15,7 +15,7 @@ class TagAliasesController < ApplicationController
@tag_alias = TagAlias.find(params[:id])
if @tag_alias.is_pending? && @tag_alias.editable_by?(CurrentUser.user)
@tag_alias.update_attributes(params[:tag_alias])
@tag_alias.update_attributes(update_params)
end
respond_with(@tag_alias)
@@ -46,4 +46,10 @@ class TagAliasesController < ApplicationController
@tag_alias.approve!(CurrentUser.user.id)
respond_with(@tag_alias, :location => tag_alias_path(@tag_alias))
end
private
def update_params
params.require(:tag_alias).permit(:antecedent_name, :consequent_name, :forum_topic_id)
end
end

8
app/controllers/tag_implications_controller.rb
View File

@@ -15,7 +15,7 @@ class TagImplicationsController < ApplicationController
@tag_implication = TagImplication.find(params[:id])
if @tag_implication.is_pending? && @tag_implication.editable_by?(CurrentUser.user)
@tag_implication.update_attributes(params[:tag_implication])
@tag_implication.update_attributes(update_params)
end
respond_with(@tag_implication)
@@ -51,4 +51,10 @@ class TagImplicationsController < ApplicationController
@tag_implication.approve!(CurrentUser.user.id)
respond_with(@tag_implication, :location => tag_implication_path(@tag_implication))
end
private
def update_params
params.require(:tag_implication).permit(:antecedent_name, :consequent_name, :forum_topic_id)
end
end

7
app/models/tag_alias.rb
View File

@@ -6,7 +6,11 @@ class TagAlias < ActiveRecord::Base
after_destroy :clear_all_cache
before_validation :initialize_creator, :on => :create
before_validation :normalize_names
validates_format_of :status, :with => /\A(active|deleted|pending|processing|queued|error: .*)\Z/
validates_presence_of :creator_id, :antecedent_name, :consequent_name
validates :creator, presence: { message: "must exist" }, if: lambda { creator_id.present? }
validates :approver, presence: { message: "must exist" }, if: lambda { approver_id.present? }
validates :forum_topic, presence: { message: "must exist" }, if: lambda { forum_topic_id.present? }
validates_uniqueness_of :antecedent_name
validate :absence_of_transitive_relation
validate :antecedent_and_consequent_are_different
@@ -15,7 +19,8 @@ class TagAlias < ActiveRecord::Base
belongs_to :creator, :class_name => "User"
belongs_to :approver, :class_name => "User"
belongs_to :forum_topic
attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :status, :skip_secondary_validations
attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
attr_accessible :status, :as => [:admin]
module SearchMethods
def name_matches(name)

7
app/models/tag_implication.rb
View File

@@ -9,14 +9,19 @@ class TagImplication < ActiveRecord::Base
belongs_to :forum_topic
before_validation :initialize_creator, :on => :create
before_validation :normalize_names
validates_format_of :status, :with => /\A(active|deleted|pending|processing|queued|error: .*)\Z/
validates_presence_of :creator_id, :antecedent_name, :consequent_name
validates :creator, presence: { message: "must exist" }, if: lambda { creator_id.present? }
validates :approver, presence: { message: "must exist" }, if: lambda { approver_id.present? }
validates :forum_topic, presence: { message: "must exist" }, if: lambda { forum_topic_id.present? }
validates_uniqueness_of :antecedent_name, :scope => :consequent_name
validate :absence_of_circular_relation
validate :antecedent_is_not_aliased
validate :consequent_is_not_aliased
validate :antecedent_and_consequent_are_different
validate :wiki_pages_present, :on => :create
attr_accessible :antecedent_name, :consequent_name, :descendant_names, :forum_topic_id, :status, :forum_topic, :skip_secondary_validations
attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
attr_accessible :status, :as => [:admin]
module DescendantMethods
extend ActiveSupport::Concern