Merge pull request #7632 from opf/fix/sql_injection_on_project_order

ensure direction in project order to be asc or desc

[ci skip]
pull/7636/head
Oliver Günther 5 years ago committed by GitHub
commit 38e1671b5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 12
      app/models/queries/base_order.rb
  2. 4
      app/models/queries/projects/orders/latest_activity_at_order.rb
  3. 7
      app/models/queries/projects/orders/required_disk_space_order.rb
  4. 58
      spec/models/queries/projects/orders/latest_activity_at_order_spec.rb
  5. 58
      spec/models/queries/projects/orders/required_disk_space_order_spec.rb

@ -31,11 +31,13 @@
class Queries::BaseOrder
include ActiveModel::Validations
VALID_DIRECTIONS = %i(asc desc).freeze
def self.i18n_scope
:activerecord
end
validates :direction, inclusion: { in: %i(asc desc) }
validates :direction, inclusion: { in: VALID_DIRECTIONS }
class_attribute :model
attr_accessor :direction,
@ -68,4 +70,12 @@ class Queries::BaseOrder
def joins
nil
end
def with_raise_on_invalid
if VALID_DIRECTIONS.include?(direction)
yield
else
raise ArgumentError, "Only one of #{VALID_DIRECTIONS} allowed. #{direction} is provided."
end
end
end

@ -38,6 +38,8 @@ class Queries::Projects::Orders::LatestActivityAtOrder < Queries::BaseOrder
private
def order
model.order("activity.latest_activity_at #{direction}")
with_raise_on_invalid do
model.order(Arel.sql("activity.latest_activity_at").send(direction))
end
end
end

@ -38,8 +38,9 @@ class Queries::Projects::Orders::RequiredDiskSpaceOrder < Queries::BaseOrder
private
def order
attribute = Project.required_disk_space_sum
model.order("#{attribute} #{direction}")
with_raise_on_invalid do
attribute = Project.required_disk_space_sum
model.order(Arel.sql(attribute).send(direction))
end
end
end

@ -0,0 +1,58 @@
#-- encoding: UTF-8
#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2017 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++
require 'spec_helper'
describe Queries::Projects::Orders::LatestActivityAtOrder, type: :model do
let(:instance) do
described_class.new('').tap do |i|
i.direction = direction
end
end
let(:direction) { :asc }
describe '#scope' do
context 'with a valid direction' do
it 'orders by the disk space' do
expect(instance.scope.to_sql)
.to eql(Project.order(Arel.sql("activity.latest_activity_at").asc).to_sql)
end
end
context 'with an invalid direction' do
let(:direction) { 'bogus' }
it 'raises an error' do
expect { instance.scope }
.to raise_error(ArgumentError)
end
end
end
end

@ -0,0 +1,58 @@
#-- encoding: UTF-8
#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2017 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++
require 'spec_helper'
describe Queries::Projects::Orders::RequiredDiskSpaceOrder, type: :model do
let(:instance) do
described_class.new('').tap do |i|
i.direction = direction
end
end
let(:direction) { :asc }
describe '#scope' do
context 'with a valid direction' do
it 'orders by the disk space' do
expect(instance.scope.to_sql)
.to eql(Project.order(Arel.sql(Project.required_disk_space_sum).asc).to_sql)
end
end
context 'with an invalid direction' do
let(:direction) { 'bogus' }
it 'raises an error' do
expect { instance.scope }
.to raise_error(ArgumentError)
end
end
end
end
Loading…
Cancel
Save