Commit 8c576313963d6be6644af9a2c675927ab7cbd2a1
1 parent
fe596c84
Exists in
theme-brasil-digital-from-staging
and in
9 other branches
removing search controller vulnabilities
Showing
3 changed files
with
53 additions
and
0 deletions
Show diff stats
app/controllers/public/search_controller.rb
| @@ -3,7 +3,10 @@ class SearchController < PublicController | @@ -3,7 +3,10 @@ class SearchController < PublicController | ||
| 3 | helper TagsHelper | 3 | helper TagsHelper |
| 4 | include SearchHelper | 4 | include SearchHelper |
| 5 | include ActionView::Helpers::NumberHelper | 5 | include ActionView::Helpers::NumberHelper |
| 6 | + include SanitizeParams | ||
| 6 | 7 | ||
| 8 | + | ||
| 9 | + before_filter :sanitize_params | ||
| 7 | before_filter :redirect_asset_param, :except => [:assets, :suggestions] | 10 | before_filter :redirect_asset_param, :except => [:assets, :suggestions] |
| 8 | before_filter :load_category, :except => :suggestions | 11 | before_filter :load_category, :except => :suggestions |
| 9 | before_filter :load_search_assets, :except => :suggestions | 12 | before_filter :load_search_assets, :except => :suggestions |
| @@ -0,0 +1,34 @@ | @@ -0,0 +1,34 @@ | ||
| 1 | +module SanitizeParams | ||
| 2 | + | ||
| 3 | + protected | ||
| 4 | + | ||
| 5 | + # Check each request parameter for | ||
| 6 | + # improper HTML or Script tags | ||
| 7 | + def sanitize_params | ||
| 8 | + request.params.each { |k, v| | ||
| 9 | + if v.is_a?(String) | ||
| 10 | + params[k] = sanitize_param v | ||
| 11 | + elsif v.is_a?(Array) | ||
| 12 | + params[k] = sanitize_array v | ||
| 13 | + end | ||
| 14 | + } | ||
| 15 | + end | ||
| 16 | + | ||
| 17 | + # If the parameter was an array, | ||
| 18 | + # try to sanitize each element in the array | ||
| 19 | + def sanitize_array(array) | ||
| 20 | + array.map! { |e| | ||
| 21 | + if e.is_a?(String) | ||
| 22 | + sanitize_param e | ||
| 23 | + end | ||
| 24 | + } | ||
| 25 | + return array | ||
| 26 | + end | ||
| 27 | + | ||
| 28 | + # Santitize a single value | ||
| 29 | + def sanitize_param(value) | ||
| 30 | + allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | ||
| 31 | + ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | ||
| 32 | + end | ||
| 33 | + | ||
| 34 | +end |
test/functional/search_controller_test.rb
| @@ -769,6 +769,22 @@ class SearchControllerTest < ActionController::TestCase | @@ -769,6 +769,22 @@ class SearchControllerTest < ActionController::TestCase | ||
| 769 | assert_equivalent [t1,t2,c1,c2,c3,c4] , assigns(:searches)[:communities][:results] | 769 | assert_equivalent [t1,t2,c1,c2,c3,c4] , assigns(:searches)[:communities][:results] |
| 770 | end | 770 | end |
| 771 | 771 | ||
| 772 | + should 'not allow query injection' do | ||
| 773 | + injection = '<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam' | ||
| 774 | + get :tag, :tag => injection | ||
| 775 | + tag = assigns(:tag) | ||
| 776 | + assert !tag.upcase.include?('IMG') && tag.include?('SearchParam') | ||
| 777 | + end | ||
| 778 | + | ||
| 779 | + should 'not allow query injection array' do | ||
| 780 | + injection = ['<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>', '<script>document.innerHTML = \'x\'</script>'] | ||
| 781 | + get :tag, :tag => injection | ||
| 782 | + tag = assigns(:tag) | ||
| 783 | + tag.each { |t| | ||
| 784 | + assert !t.upcase.include?('IMG') && !t.upcase.include?('SCRIPT') | ||
| 785 | + } | ||
| 786 | + end | ||
| 787 | + | ||
| 772 | protected | 788 | protected |
| 773 | 789 | ||
| 774 | def create_event(profile, options) | 790 | def create_event(profile, options) |