From 8c576313963d6be6644af9a2c675927ab7cbd2a1 Mon Sep 17 00:00:00 2001
From: Leandro Nunes dos Santos <leandronunes@gmail.com>
Date: Fri, 17 Apr 2015 12:14:21 -0300
Subject: [PATCH] removing search controller vulnabilities

---
 app/controllers/public/search_controller.rb |  3 +++
 lib/sanitize_params.rb                      | 34 ++++++++++++++++++++++++++++++++++
 test/functional/search_controller_test.rb   | 16 ++++++++++++++++
 3 files changed, 53 insertions(+), 0 deletions(-)
 create mode 100644 lib/sanitize_params.rb

diff --git a/app/controllers/public/search_controller.rb b/app/controllers/public/search_controller.rb
index 2429106..a0736b9 100644
--- a/app/controllers/public/search_controller.rb
+++ b/app/controllers/public/search_controller.rb
@@ -3,7 +3,10 @@ class SearchController < PublicController
   helper TagsHelper
   include SearchHelper
   include ActionView::Helpers::NumberHelper
+  include SanitizeParams
 
+
+  before_filter :sanitize_params
   before_filter :redirect_asset_param, :except => [:assets, :suggestions]
   before_filter :load_category, :except => :suggestions
   before_filter :load_search_assets, :except => :suggestions
diff --git a/lib/sanitize_params.rb b/lib/sanitize_params.rb
new file mode 100644
index 0000000..d16d072
--- /dev/null
+++ b/lib/sanitize_params.rb
@@ -0,0 +1,34 @@
+module SanitizeParams
+
+  protected
+
+  # Check each request parameter for 
+  # improper HTML or Script tags
+  def sanitize_params
+    request.params.each { |k, v|
+      if v.is_a?(String)        
+        params[k] = sanitize_param v
+      elsif v.is_a?(Array)
+        params[k] = sanitize_array v
+      end
+    }
+  end
+
+  # If the parameter was an array, 
+  # try to sanitize each element in the array
+  def sanitize_array(array)
+    array.map! { |e| 
+      if e.is_a?(String)
+        sanitize_param e
+      end
+    }
+    return array
+  end
+
+  # Santitize a single value
+  def sanitize_param(value)
+    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
+    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
+  end
+
+end    
diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb
index 21d23b8..412002a 100644
--- a/test/functional/search_controller_test.rb
+++ b/test/functional/search_controller_test.rb
@@ -769,6 +769,22 @@ class SearchControllerTest < ActionController::TestCase
     assert_equivalent [t1,t2,c1,c2,c3,c4] , assigns(:searches)[:communities][:results]
   end
 
+  should 'not allow query injection' do
+    injection = '<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam'
+    get :tag, :tag => injection
+    tag = assigns(:tag)
+    assert !tag.upcase.include?('IMG') && tag.include?('SearchParam')
+  end
+
+  should 'not allow query injection array' do
+    injection = ['<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>', '<script>document.innerHTML = \'x\'</script>']
+    get :tag, :tag => injection
+    tag = assigns(:tag)
+    tag.each { |t| 
+      assert !t.upcase.include?('IMG') && !t.upcase.include?('SCRIPT') 
+    }
+  end
+
   protected
 
   def create_event(profile, options)
--
libgit2 0.21.2