mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 09:36:19 -05:00
SECURITY: SQL Injection in Admin List Active Users
This commit is contained in:
parent
2f8ab8cd30
commit
dc1a830d3d
2 changed files with 23 additions and 1 deletions
|
@ -18,8 +18,20 @@ class AdminUserIndexQuery
|
||||||
find_users_query.count
|
find_users_query.count
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.orderable_columns
|
||||||
|
%w(created_at days_visited posts_read_count topics_entered post_count trust_level)
|
||||||
|
end
|
||||||
|
|
||||||
def initialize_query_with_order(klass)
|
def initialize_query_with_order(klass)
|
||||||
order = [params[:order]]
|
order = []
|
||||||
|
|
||||||
|
custom_order = params[:order]
|
||||||
|
if custom_order.present? &&
|
||||||
|
without_dir = custom_order.downcase.sub(/ (asc|desc)$/, '')
|
||||||
|
if AdminUserIndexQuery.orderable_columns.include?(without_dir)
|
||||||
|
order << custom_order
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
if params[:query] == "active"
|
if params[:query] == "active"
|
||||||
order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC"
|
order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC"
|
||||||
|
|
|
@ -16,6 +16,16 @@ describe AdminUserIndexQuery do
|
||||||
query = ::AdminUserIndexQuery.new({ query: "active" })
|
query = ::AdminUserIndexQuery.new({ query: "active" })
|
||||||
expect(query.find_users_query.to_sql).to match("last_seen_at")
|
expect(query.find_users_query.to_sql).to match("last_seen_at")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "can't be injected" do
|
||||||
|
query = ::AdminUserIndexQuery.new({ order: "wat, no" })
|
||||||
|
expect(query.find_users_query.to_sql).not_to match("wat, no")
|
||||||
|
end
|
||||||
|
|
||||||
|
it "allows custom ordering" do
|
||||||
|
query = ::AdminUserIndexQuery.new({ order: "trust_level DESC" })
|
||||||
|
expect(query.find_users_query.to_sql).to match("trust_level DESC")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "no users with trust level" do
|
describe "no users with trust level" do
|
||||||
|
|
Loading…
Reference in a new issue