Merge branch 'fix-vunerabilities-found-with-breakman' into 'master'

fix to sql injections vulnerabilities identified using brakeman See merge request !832

Merge branch 'fix-vunerabilities-found-with-breakman' into 'master'
fix to sql injections vulnerabilities identified using brakeman See merge request !832
Braulio Bhavamitra
2 parents 732a29a0 d578209b
Showing 5 changed files with 26 additions and 9 deletions Show diff stats
app/controllers/my_profile/manage_products_controller.rb
app/controllers/public/contact_controller.rb
app/models/product_category.rb
app/models/task.rb
lib/activities_counter_cache_job.rb
@@ -206,7 +206,7 @@ class ManageProductsController &lt; ApplicationController
   end
  
   def certifiers_for_selection
-    @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
+    @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
     render :update do |page|
       page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
     end
@@ -6,8 +6,8 @@ class ContactController &lt; PublicController
   def new
     @contact = build_contact
     if request.post? && params[:confirm] == 'true'
-      @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
-      @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
+      @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
+      @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
       if @contact.deliver
         session[:notice] = _('Contact successfully sent')
         redirect_to :action => 'new'
@@ -14,6 +14,10 @@ class ProductCategory &lt; Category
     where 'environment_id = ?', environment.id
   }
  
+  scope :unique_by_level, lambda { |level| {
+    :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*"
+  }}
+
   def all_products
     Product.where(product_category_id: (all_children << self).map(&:id))
   end
@@ -275,9 +275,19 @@ class Task &lt; ActiveRecord::Base
   scope :canceled, -> { where status: Task::Status::CANCELLED }
   scope :closed, -> { where status: [Task::Status::CANCELLED, Task::Status::FINISHED] }
   scope :opened, -> { where status: [Task::Status::ACTIVE, Task::Status::HIDDEN] }
-  scope :of, -> type { where "type LIKE ?", type if type }
-  scope :order_by, -> attribute, ord { order "#{attribute} #{ord}" }
-  scope :like, -> field, value { where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%" if value }
+  scope :of, -> type { where :type => type  if type }
+  scope :order_by, -> attribute, ord {
+      if ord.downcase.include? 'desc'
+        order attribute.to_sym => :desc
+      else
+        order attribute.to_sym
+      end
+  }
+  scope :like, -> field, value {
+      if value and Task.column_names.include? field
+        where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%"
+      end
+  }
   scope :pending_all, -> profile, filter_type, filter_text {
     self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
   }
 class ActivitiesCounterCacheJob
+
   def perform
-    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
-    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
     activities_counts = person_activities_counts.entries + organization_activities_counts.entries
     activities_counts.each do |count|
-      ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};")
+      update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ActiveRecord::Base.connection.execute(update_sql)
     end
     Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
   end
+
 end
...	...	@@ -206,7 +206,7 @@ class ManageProductsController < ApplicationController
206	206	end
207	207
208	208	def certifiers_for_selection
209		- @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
	209	+ @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
210	210	render :update do \|page\|
211	211	page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
212	212	end
...	...
...	...	@@ -6,8 +6,8 @@ class ContactController < PublicController
6	6	def new
7	7	@contact = build_contact
8	8	if request.post? && params[:confirm] == 'true'
9		- @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
10		- @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
	9	+ @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
	10	+ @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
11	11	if @contact.deliver
12	12	session[:notice] = _('Contact successfully sent')
13	13	redirect_to :action => 'new'
...	...
...	...	@@ -14,6 +14,10 @@ class ProductCategory < Category
14	14	where 'environment_id = ?', environment.id
15	15	}
16	16
	17	+ scope :unique_by_level, lambda { \|level\| {
	18	+ :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*"
	19	+ }}
	20	+
17	21	def all_products
18	22	Product.where(product_category_id: (all_children << self).map(&:id))
19	23	end
...	...
...	...	@@ -275,9 +275,19 @@ class Task < ActiveRecord::Base
275	275	scope :canceled, -> { where status: Task::Status::CANCELLED }
276	276	scope :closed, -> { where status: [Task::Status::CANCELLED, Task::Status::FINISHED] }
277	277	scope :opened, -> { where status: [Task::Status::ACTIVE, Task::Status::HIDDEN] }
278		- scope :of, -> type { where "type LIKE ?", type if type }
279		- scope :order_by, -> attribute, ord { order "#{attribute} #{ord}" }
280		- scope :like, -> field, value { where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%" if value }
	278	+ scope :of, -> type { where :type => type if type }
	279	+ scope :order_by, -> attribute, ord {
	280	+ if ord.downcase.include? 'desc'
	281	+ order attribute.to_sym => :desc
	282	+ else
	283	+ order attribute.to_sym
	284	+ end
	285	+ }
	286	+ scope :like, -> field, value {
	287	+ if value and Task.column_names.include? field
	288	+ where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%"
	289	+ end
	290	+ }
281	291	scope :pending_all, -> profile, filter_type, filter_text {
282	292	self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
283	293	}
...	...
1	1	class ActivitiesCounterCacheJob
	2	+
2	3	def perform
3		- person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
4		- organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
	4	+ person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
	5	+ organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
5	6	activities_counts = person_activities_counts.entries + organization_activities_counts.entries
6	7	activities_counts.each do \|count\|
7		- ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};")
	8	+ update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
	9	+ ActiveRecord::Base.connection.execute(update_sql)
8	10	end
9	11	Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
10	12	end
	13	+
11	14	end
...	...