[Git][noosfero/noosfero][master] 2 commits: fix to sql injections vulnerabilities identified using brakeman
Bráulio Bhavamitra
gitlab at mg.gitlab.com
Thu Mar 31 18:00:19 BRT 2016
Bráulio Bhavamitra pushed to branch master at Noosfero / noosfero
Commits:
d578209b by Ábner Silva de Oliveira at 2016-03-31T17:47:41-03:00
fix to sql injections vulnerabilities identified using brakeman
Signed-off-by: Lucas Kanashiro <kanashiro.duarte at gmail.com>
Sign-off-by: Macartur Sousa <macartur.sc at gmail.com>
- - - - -
61931718 by Bráulio Bhavamitra at 2016-03-31T20:59:42+00:00
Merge branch 'fix-vunerabilities-found-with-breakman' into 'master'
fix to sql injections vulnerabilities identified using brakeman
See merge request !832
- - - - -
5 changed files:
- app/controllers/my_profile/manage_products_controller.rb
- app/controllers/public/contact_controller.rb
- app/models/product_category.rb
- app/models/task.rb
- lib/activities_counter_cache_job.rb
Changes:
=====================================
app/controllers/my_profile/manage_products_controller.rb
=====================================
--- a/app/controllers/my_profile/manage_products_controller.rb
+++ b/app/controllers/my_profile/manage_products_controller.rb
@@ -206,7 +206,7 @@ class ManageProductsController < ApplicationController
end
def certifiers_for_selection
- @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
+ @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
render :update do |page|
page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
end
=====================================
app/controllers/public/contact_controller.rb
=====================================
--- a/app/controllers/public/contact_controller.rb
+++ b/app/controllers/public/contact_controller.rb
@@ -6,8 +6,8 @@ class ContactController < PublicController
def new
@contact = build_contact
if request.post? && params[:confirm] == 'true'
- @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
- @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
+ @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
+ @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
if @contact.deliver
session[:notice] = _('Contact successfully sent')
redirect_to :action => 'new'
=====================================
app/models/product_category.rb
=====================================
--- a/app/models/product_category.rb
+++ b/app/models/product_category.rb
@@ -14,6 +14,10 @@ class ProductCategory < Category
where 'environment_id = ?', environment.id
}
+ scope :unique_by_level, lambda { |level| {
+ :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*"
+ }}
+
def all_products
Product.where(product_category_id: (all_children << self).map(&:id))
end
=====================================
app/models/task.rb
=====================================
--- a/app/models/task.rb
+++ b/app/models/task.rb
@@ -275,9 +275,19 @@ class Task < ActiveRecord::Base
scope :canceled, -> { where status: Task::Status::CANCELLED }
scope :closed, -> { where status: [Task::Status::CANCELLED, Task::Status::FINISHED] }
scope :opened, -> { where status: [Task::Status::ACTIVE, Task::Status::HIDDEN] }
- scope :of, -> type { where "type LIKE ?", type if type }
- scope :order_by, -> attribute, ord { order "#{attribute} #{ord}" }
- scope :like, -> field, value { where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%" if value }
+ scope :of, -> type { where :type => type if type }
+ scope :order_by, -> attribute, ord {
+ if ord.downcase.include? 'desc'
+ order attribute.to_sym => :desc
+ else
+ order attribute.to_sym
+ end
+ }
+ scope :like, -> field, value {
+ if value and Task.column_names.include? field
+ where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%"
+ end
+ }
scope :pending_all, -> profile, filter_type, filter_text {
self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
}
=====================================
lib/activities_counter_cache_job.rb
=====================================
--- a/lib/activities_counter_cache_job.rb
+++ b/lib/activities_counter_cache_job.rb
@@ -1,11 +1,14 @@
class ActivitiesCounterCacheJob
+
def perform
- person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
- organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+ person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+ organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
activities_counts = person_activities_counts.entries + organization_activities_counts.entries
activities_counts.each do |count|
- ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};")
+ update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+ ActiveRecord::Base.connection.execute(update_sql)
end
Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
end
+
end
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/732a29a0ff765afe79f92890ec6eb755e464456a...61931718b194cd49468fd07dbfa57dd0252b28dc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160331/43a10d92/attachment-0001.html>
More information about the Noosfero-dev
mailing list