mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 09:36:19 -05:00
SECURITY: SQL Injection in Admin List Active Users
This commit is contained in:
parent
2f8ab8cd30
commit
dc1a830d3d
2 changed files with 23 additions and 1 deletions
|
@ -18,8 +18,20 @@ class AdminUserIndexQuery
|
|||
find_users_query.count
|
||||
end
|
||||
|
||||
def self.orderable_columns
|
||||
%w(created_at days_visited posts_read_count topics_entered post_count trust_level)
|
||||
end
|
||||
|
||||
def initialize_query_with_order(klass)
|
||||
order = [params[:order]]
|
||||
order = []
|
||||
|
||||
custom_order = params[:order]
|
||||
if custom_order.present? &&
|
||||
without_dir = custom_order.downcase.sub(/ (asc|desc)$/, '')
|
||||
if AdminUserIndexQuery.orderable_columns.include?(without_dir)
|
||||
order << custom_order
|
||||
end
|
||||
end
|
||||
|
||||
if params[:query] == "active"
|
||||
order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC"
|
||||
|
|
|
@ -16,6 +16,16 @@ describe AdminUserIndexQuery do
|
|||
query = ::AdminUserIndexQuery.new({ query: "active" })
|
||||
expect(query.find_users_query.to_sql).to match("last_seen_at")
|
||||
end
|
||||
|
||||
it "can't be injected" do
|
||||
query = ::AdminUserIndexQuery.new({ order: "wat, no" })
|
||||
expect(query.find_users_query.to_sql).not_to match("wat, no")
|
||||
end
|
||||
|
||||
it "allows custom ordering" do
|
||||
query = ::AdminUserIndexQuery.new({ order: "trust_level DESC" })
|
||||
expect(query.find_users_query.to_sql).to match("trust_level DESC")
|
||||
end
|
||||
end
|
||||
|
||||
describe "no users with trust level" do
|
||||
|
|
Loading…
Reference in a new issue