Commit 61931718b194cd49468fd07dbfa57dd0252b28dc
Exists in
web_steps_improvements
and in
8 other branches
Merge branch 'fix-vunerabilities-found-with-breakman' into 'master'
fix to sql injections vulnerabilities identified using brakeman See merge request !832
Showing
5 changed files
with
26 additions
and
9 deletions
Show diff stats
app/controllers/my_profile/manage_products_controller.rb
| @@ -206,7 +206,7 @@ class ManageProductsController < ApplicationController | @@ -206,7 +206,7 @@ class ManageProductsController < ApplicationController | ||
| 206 | end | 206 | end |
| 207 | 207 | ||
| 208 | def certifiers_for_selection | 208 | def certifiers_for_selection |
| 209 | - @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil | 209 | + @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil |
| 210 | render :update do |page| | 210 | render :update do |page| |
| 211 | page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection' | 211 | page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection' |
| 212 | end | 212 | end |
app/controllers/public/contact_controller.rb
| @@ -6,8 +6,8 @@ class ContactController < PublicController | @@ -6,8 +6,8 @@ class ContactController < PublicController | ||
| 6 | def new | 6 | def new |
| 7 | @contact = build_contact | 7 | @contact = build_contact |
| 8 | if request.post? && params[:confirm] == 'true' | 8 | if request.post? && params[:confirm] == 'true' |
| 9 | - @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil | ||
| 10 | - @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil | 9 | + @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil |
| 10 | + @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil | ||
| 11 | if @contact.deliver | 11 | if @contact.deliver |
| 12 | session[:notice] = _('Contact successfully sent') | 12 | session[:notice] = _('Contact successfully sent') |
| 13 | redirect_to :action => 'new' | 13 | redirect_to :action => 'new' |
app/models/product_category.rb
| @@ -14,6 +14,10 @@ class ProductCategory < Category | @@ -14,6 +14,10 @@ class ProductCategory < Category | ||
| 14 | where 'environment_id = ?', environment.id | 14 | where 'environment_id = ?', environment.id |
| 15 | } | 15 | } |
| 16 | 16 | ||
| 17 | + scope :unique_by_level, lambda { |level| { | ||
| 18 | + :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*" | ||
| 19 | + }} | ||
| 20 | + | ||
| 17 | def all_products | 21 | def all_products |
| 18 | Product.where(product_category_id: (all_children << self).map(&:id)) | 22 | Product.where(product_category_id: (all_children << self).map(&:id)) |
| 19 | end | 23 | end |
app/models/task.rb
| @@ -275,9 +275,19 @@ class Task < ActiveRecord::Base | @@ -275,9 +275,19 @@ class Task < ActiveRecord::Base | ||
| 275 | scope :canceled, -> { where status: Task::Status::CANCELLED } | 275 | scope :canceled, -> { where status: Task::Status::CANCELLED } |
| 276 | scope :closed, -> { where status: [Task::Status::CANCELLED, Task::Status::FINISHED] } | 276 | scope :closed, -> { where status: [Task::Status::CANCELLED, Task::Status::FINISHED] } |
| 277 | scope :opened, -> { where status: [Task::Status::ACTIVE, Task::Status::HIDDEN] } | 277 | scope :opened, -> { where status: [Task::Status::ACTIVE, Task::Status::HIDDEN] } |
| 278 | - scope :of, -> type { where "type LIKE ?", type if type } | ||
| 279 | - scope :order_by, -> attribute, ord { order "#{attribute} #{ord}" } | ||
| 280 | - scope :like, -> field, value { where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%" if value } | 278 | + scope :of, -> type { where :type => type if type } |
| 279 | + scope :order_by, -> attribute, ord { | ||
| 280 | + if ord.downcase.include? 'desc' | ||
| 281 | + order attribute.to_sym => :desc | ||
| 282 | + else | ||
| 283 | + order attribute.to_sym | ||
| 284 | + end | ||
| 285 | + } | ||
| 286 | + scope :like, -> field, value { | ||
| 287 | + if value and Task.column_names.include? field | ||
| 288 | + where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%" | ||
| 289 | + end | ||
| 290 | + } | ||
| 281 | scope :pending_all, -> profile, filter_type, filter_text { | 291 | scope :pending_all, -> profile, filter_type, filter_text { |
| 282 | self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text) | 292 | self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text) |
| 283 | } | 293 | } |
lib/activities_counter_cache_job.rb
| 1 | class ActivitiesCounterCacheJob | 1 | class ActivitiesCounterCacheJob |
| 2 | + | ||
| 2 | def perform | 3 | def perform |
| 3 | - person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;") | ||
| 4 | - organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;") | 4 | + person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;") |
| 5 | + organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;") | ||
| 5 | activities_counts = person_activities_counts.entries + organization_activities_counts.entries | 6 | activities_counts = person_activities_counts.entries + organization_activities_counts.entries |
| 6 | activities_counts.each do |count| | 7 | activities_counts.each do |count| |
| 7 | - ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};") | 8 | + update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '') |
| 9 | + ActiveRecord::Base.connection.execute(update_sql) | ||
| 8 | end | 10 | end |
| 9 | Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now}) | 11 | Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now}) |
| 10 | end | 12 | end |
| 13 | + | ||
| 11 | end | 14 | end |