[Git][noosfero/noosfero][master] 2 commits: fix to sql injections vulnerabilities identified using brakeman

Bráulio Bhavamitra gitlab at mg.gitlab.com
Thu Mar 31 18:00:19 BRT 2016 

Bráulio Bhavamitra pushed to branch master at Noosfero / noosfero


Commits:
d578209b by Ábner Silva de Oliveira at 2016-03-31T17:47:41-03:00
fix to sql injections vulnerabilities identified using brakeman

Signed-off-by: Lucas Kanashiro <kanashiro.duarte at gmail.com>
Sign-off-by: Macartur Sousa <macartur.sc at gmail.com>

- - - - -
61931718 by Bráulio Bhavamitra at 2016-03-31T20:59:42+00:00
Merge branch 'fix-vunerabilities-found-with-breakman' into 'master'

fix to sql injections vulnerabilities identified using brakeman



See merge request !832
- - - - -


5 changed files:

- app/controllers/my_profile/manage_products_controller.rb
- app/controllers/public/contact_controller.rb
- app/models/product_category.rb
- app/models/task.rb
- lib/activities_counter_cache_job.rb


Changes:

=====================================
app/controllers/my_profile/manage_products_controller.rb
=====================================
--- a/app/controllers/my_profile/manage_products_controller.rb
+++ b/app/controllers/my_profile/manage_products_controller.rb
@@ -206,7 +206,7 @@ class ManageProductsController < ApplicationController
   end
 
   def certifiers_for_selection
-    @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
+    @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
     render :update do |page|
       page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
     end


=====================================
app/controllers/public/contact_controller.rb
=====================================
--- a/app/controllers/public/contact_controller.rb
+++ b/app/controllers/public/contact_controller.rb
@@ -6,8 +6,8 @@ class ContactController < PublicController
   def new
     @contact = build_contact
     if request.post? && params[:confirm] == 'true'
-      @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
-      @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
+      @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
+      @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
       if @contact.deliver
         session[:notice] = _('Contact successfully sent')
         redirect_to :action => 'new'


=====================================
app/models/product_category.rb
=====================================
--- a/app/models/product_category.rb
+++ b/app/models/product_category.rb
@@ -14,6 +14,10 @@ class ProductCategory < Category
     where 'environment_id = ?', environment.id
   }
 
+  scope :unique_by_level, lambda { |level| {
+    :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*"
+  }}
+
   def all_products
     Product.where(product_category_id: (all_children << self).map(&:id))
   end


=====================================
app/models/task.rb
=====================================
--- a/app/models/task.rb
+++ b/app/models/task.rb
@@ -275,9 +275,19 @@ class Task < ActiveRecord::Base
   scope :canceled, -> { where status: Task::Status::CANCELLED }
   scope :closed, -> { where status: [Task::Status::CANCELLED, Task::Status::FINISHED] }
   scope :opened, -> { where status: [Task::Status::ACTIVE, Task::Status::HIDDEN] }
-  scope :of, -> type { where "type LIKE ?", type if type }
-  scope :order_by, -> attribute, ord { order "#{attribute} #{ord}" }
-  scope :like, -> field, value { where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%" if value }
+  scope :of, -> type { where :type => type  if type }
+  scope :order_by, -> attribute, ord {
+      if ord.downcase.include? 'desc'
+        order attribute.to_sym => :desc
+      else
+        order attribute.to_sym
+      end
+  }
+  scope :like, -> field, value {
+      if value and Task.column_names.include? field
+        where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%"
+      end
+  }
   scope :pending_all, -> profile, filter_type, filter_text {
     self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
   }


=====================================
lib/activities_counter_cache_job.rb
=====================================
--- a/lib/activities_counter_cache_job.rb
+++ b/lib/activities_counter_cache_job.rb
@@ -1,11 +1,14 @@
 class ActivitiesCounterCacheJob
+
   def perform
-    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
-    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
     activities_counts = person_activities_counts.entries + organization_activities_counts.entries
     activities_counts.each do |count|
-      ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};")
+      update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ActiveRecord::Base.connection.execute(update_sql)
     end
     Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
   end
+
 end



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/732a29a0ff765afe79f92890ec6eb755e464456a...61931718b194cd49468fd07dbfa57dd0252b28dc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160331/43a10d92/attachment-0001.html>

More information about the Noosfero-dev mailing list