SECURITY: SQL Injection in Admin List Active Users

This commit is contained in:
Robin Ward 2016-07-28 11:42:06 -04:00
parent 2f8ab8cd30
commit dc1a830d3d
2 changed files with 23 additions and 1 deletions

View file

@ -18,8 +18,20 @@ class AdminUserIndexQuery
find_users_query.count find_users_query.count
end end
def self.orderable_columns
%w(created_at days_visited posts_read_count topics_entered post_count trust_level)
end
def initialize_query_with_order(klass) def initialize_query_with_order(klass)
order = [params[:order]] order = []
custom_order = params[:order]
if custom_order.present? &&
without_dir = custom_order.downcase.sub(/ (asc|desc)$/, '')
if AdminUserIndexQuery.orderable_columns.include?(without_dir)
order << custom_order
end
end
if params[:query] == "active" if params[:query] == "active"
order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC" order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC"

View file

@ -16,6 +16,16 @@ describe AdminUserIndexQuery do
query = ::AdminUserIndexQuery.new({ query: "active" }) query = ::AdminUserIndexQuery.new({ query: "active" })
expect(query.find_users_query.to_sql).to match("last_seen_at") expect(query.find_users_query.to_sql).to match("last_seen_at")
end end
it "can't be injected" do
query = ::AdminUserIndexQuery.new({ order: "wat, no" })
expect(query.find_users_query.to_sql).not_to match("wat, no")
end
it "allows custom ordering" do
query = ::AdminUserIndexQuery.new({ order: "trust_level DESC" })
expect(query.find_users_query.to_sql).to match("trust_level DESC")
end
end end
describe "no users with trust level" do describe "no users with trust level" do