Merge pull request #2714 from evazion/fix-2704

Fix mass assignment vuln to tag alias/implication status (partial fix for #2704).
2016-10-11 17:48:26 -07:00
parent 3479ad89c6 7e3284c87f
commit eaa0426c36
8 changed files with 106 additions and 4 deletions
--- a/app/models/tag_alias.rb
+++ b/app/models/tag_alias.rb
@@ -6,7 +6,11 @@ class TagAlias < ActiveRecord::Base
  after_destroy :clear_all_cache
  before_validation :initialize_creator, :on => :create
  before_validation :normalize_names
+  validates_format_of :status, :with => /\A(active|deleted|pending|processing|queued|error: .*)\Z/
  validates_presence_of :creator_id, :antecedent_name, :consequent_name
+  validates :creator, presence: { message: "must exist" }, if: lambda { creator_id.present? }
+  validates :approver, presence: { message: "must exist" }, if: lambda { approver_id.present? }
+  validates :forum_topic, presence: { message: "must exist" }, if: lambda { forum_topic_id.present? }
  validates_uniqueness_of :antecedent_name
  validate :absence_of_transitive_relation
  validate :antecedent_and_consequent_are_different
@@ -15,7 +19,8 @@ class TagAlias < ActiveRecord::Base
  belongs_to :creator, :class_name => "User"
  belongs_to :approver, :class_name => "User"
  belongs_to :forum_topic
-  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :status, :skip_secondary_validations
+  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
+  attr_accessible :status, :as => [:admin]

  module SearchMethods
    def name_matches(name)
--- a/app/models/tag_implication.rb
+++ b/app/models/tag_implication.rb
@@ -9,14 +9,19 @@ class TagImplication < ActiveRecord::Base
  belongs_to :forum_topic
  before_validation :initialize_creator, :on => :create
  before_validation :normalize_names
+  validates_format_of :status, :with => /\A(active|deleted|pending|processing|queued|error: .*)\Z/
  validates_presence_of :creator_id, :antecedent_name, :consequent_name
+  validates :creator, presence: { message: "must exist" }, if: lambda { creator_id.present? }
+  validates :approver, presence: { message: "must exist" }, if: lambda { approver_id.present? }
+  validates :forum_topic, presence: { message: "must exist" }, if: lambda { forum_topic_id.present? }
  validates_uniqueness_of :antecedent_name, :scope => :consequent_name
  validate :absence_of_circular_relation
  validate :antecedent_is_not_aliased
  validate :consequent_is_not_aliased
  validate :antecedent_and_consequent_are_different
  validate :wiki_pages_present, :on => :create
-  attr_accessible :antecedent_name, :consequent_name, :descendant_names, :forum_topic_id, :status, :forum_topic, :skip_secondary_validations
+  attr_accessible :antecedent_name, :consequent_name, :forum_topic_id, :skip_secondary_validations
+  attr_accessible :status, :as => [:admin]

  module DescendantMethods
    extend ActiveSupport::Concern