Commit 8c576313963d6be6644af9a2c675927ab7cbd2a1
1 parent
fe596c84
Exists in
theme-brasil-digital-from-staging
and in
9 other branches
removing search controller vulnabilities
Showing
3 changed files
with
53 additions
and
0 deletions
Show diff stats
app/controllers/public/search_controller.rb
| ... | ... | @@ -3,7 +3,10 @@ class SearchController < PublicController |
| 3 | 3 | helper TagsHelper |
| 4 | 4 | include SearchHelper |
| 5 | 5 | include ActionView::Helpers::NumberHelper |
| 6 | + include SanitizeParams | |
| 6 | 7 | |
| 8 | + | |
| 9 | + before_filter :sanitize_params | |
| 7 | 10 | before_filter :redirect_asset_param, :except => [:assets, :suggestions] |
| 8 | 11 | before_filter :load_category, :except => :suggestions |
| 9 | 12 | before_filter :load_search_assets, :except => :suggestions | ... | ... |
| ... | ... | @@ -0,0 +1,34 @@ |
| 1 | +module SanitizeParams | |
| 2 | + | |
| 3 | + protected | |
| 4 | + | |
| 5 | + # Check each request parameter for | |
| 6 | + # improper HTML or Script tags | |
| 7 | + def sanitize_params | |
| 8 | + request.params.each { |k, v| | |
| 9 | + if v.is_a?(String) | |
| 10 | + params[k] = sanitize_param v | |
| 11 | + elsif v.is_a?(Array) | |
| 12 | + params[k] = sanitize_array v | |
| 13 | + end | |
| 14 | + } | |
| 15 | + end | |
| 16 | + | |
| 17 | + # If the parameter was an array, | |
| 18 | + # try to sanitize each element in the array | |
| 19 | + def sanitize_array(array) | |
| 20 | + array.map! { |e| | |
| 21 | + if e.is_a?(String) | |
| 22 | + sanitize_param e | |
| 23 | + end | |
| 24 | + } | |
| 25 | + return array | |
| 26 | + end | |
| 27 | + | |
| 28 | + # Santitize a single value | |
| 29 | + def sanitize_param(value) | |
| 30 | + allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | |
| 31 | + ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | |
| 32 | + end | |
| 33 | + | |
| 34 | +end | ... | ... |
test/functional/search_controller_test.rb
| ... | ... | @@ -769,6 +769,22 @@ class SearchControllerTest < ActionController::TestCase |
| 769 | 769 | assert_equivalent [t1,t2,c1,c2,c3,c4] , assigns(:searches)[:communities][:results] |
| 770 | 770 | end |
| 771 | 771 | |
| 772 | + should 'not allow query injection' do | |
| 773 | + injection = '<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam' | |
| 774 | + get :tag, :tag => injection | |
| 775 | + tag = assigns(:tag) | |
| 776 | + assert !tag.upcase.include?('IMG') && tag.include?('SearchParam') | |
| 777 | + end | |
| 778 | + | |
| 779 | + should 'not allow query injection array' do | |
| 780 | + injection = ['<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>', '<script>document.innerHTML = \'x\'</script>'] | |
| 781 | + get :tag, :tag => injection | |
| 782 | + tag = assigns(:tag) | |
| 783 | + tag.each { |t| | |
| 784 | + assert !t.upcase.include?('IMG') && !t.upcase.include?('SCRIPT') | |
| 785 | + } | |
| 786 | + end | |
| 787 | + | |
| 772 | 788 | protected |
| 773 | 789 | |
| 774 | 790 | def create_event(profile, options) | ... | ... |