From fe1e28b4f45f6aa4bb53dc5163c187c5206b66a7 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 29 Jun 2017 20:52:57 +0100 Subject: [PATCH] Fix more parameter sanitisation issues and add tests --- .rubocop_todo.yml | 2 +- app/controllers/notes_controller.rb | 1 + app/controllers/user_blocks_controller.rb | 3 + app/views/notes/_notes_paging_nav.html.erb | 4 +- app/views/user_blocks/_blocks.html.erb | 4 +- test/controllers/changeset_controller_test.rb | 12 ++++ .../diary_entry_controller_test.rb | 15 +++++ test/controllers/notes_controller_test.rb | 16 ++++++ test/controllers/trace_controller_test.rb | 20 +++++++ .../user_blocks_controller_test.rb | 56 +++++++++++++++++++ 10 files changed, 128 insertions(+), 5 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 2be52f7d6..e89927c9d 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -64,7 +64,7 @@ Metrics/BlockNesting: # Offense count: 62 # Configuration parameters: CountComments. Metrics/ClassLength: - Max: 1783 + Max: 1790 # Offense count: 69 Metrics/CyclomaticComplexity: diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index f4667bef5..20894c4e8 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -279,6 +279,7 @@ class NotesController < ApplicationController def mine if params[:display_name] if @this_user = User.active.find_by(:display_name => params[:display_name]) + @params = params.permit(:display_name) @title = t "note.mine.title", :user => @this_user.display_name @heading = t "note.mine.heading", :user => @this_user.display_name @description = t "note.mine.subheading", :user => render_to_string(:partial => "user", :object => @this_user) diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb index 467ca4c3c..ea5cdab10 100644 --- a/app/controllers/user_blocks_controller.rb +++ b/app/controllers/user_blocks_controller.rb @@ -12,6 +12,7 @@ class UserBlocksController < ApplicationController before_action :check_database_writable, :only => [:create, :update, :revoke] def index + @params = params.permit @user_blocks_pages, @user_blocks = paginate(:user_blocks, :include => [:user, :creator, :revoker], :order => "user_blocks.ends_at DESC", @@ -88,6 +89,7 @@ class UserBlocksController < ApplicationController ## # shows a list of all the blocks on the given user def blocks_on + @params = params.permit(:display_name) @user_blocks_pages, @user_blocks = paginate(:user_blocks, :include => [:user, :creator, :revoker], :conditions => { :user_id => @this_user.id }, @@ -98,6 +100,7 @@ class UserBlocksController < ApplicationController ## # shows a list of all the blocks by the given user. def blocks_by + @params = params.permit(:display_name) @user_blocks_pages, @user_blocks = paginate(:user_blocks, :include => [:user, :creator, :revoker], :conditions => { :creator_id => @this_user.id }, diff --git a/app/views/notes/_notes_paging_nav.html.erb b/app/views/notes/_notes_paging_nav.html.erb index 108cbb3d2..862eae17c 100644 --- a/app/views/notes/_notes_paging_nav.html.erb +++ b/app/views/notes/_notes_paging_nav.html.erb @@ -1,7 +1,7 @@

<% if @page > 1 %> -<%= link_to t('changeset.changeset_paging_nav.previous'), params.merge({ :page => @page - 1 }) %> +<%= link_to t('changeset.changeset_paging_nav.previous'), @params.merge({ :page => @page - 1 }) %> <% else %> <%= t('changeset.changeset_paging_nav.previous') %> <% end %> @@ -11,7 +11,7 @@ <% if @notes.size < @page_size %> <%= t('changeset.changeset_paging_nav.next') %> <% else %> -<%= link_to t('changeset.changeset_paging_nav.next'), params.merge({ :page => @page + 1 }) %> +<%= link_to t('changeset.changeset_paging_nav.next'), @params.merge({ :page => @page + 1 }) %> <% end %>

diff --git a/app/views/user_blocks/_blocks.html.erb b/app/views/user_blocks/_blocks.html.erb index d3908dab3..e9dfc7185 100644 --- a/app/views/user_blocks/_blocks.html.erb +++ b/app/views/user_blocks/_blocks.html.erb @@ -20,7 +20,7 @@