github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-30 05:05:15 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Run custom field validations with save_custom_fields

Browse Source
This commit is contained in:
Daniel Waterworth 2023-12-19 11:57:47 -06:00 committed by Isaac Janzen
parent fd4ff92892
commit 4494d62531
No known key found for this signature in database
GPG Key ID: D75AF9C21FD8EBCD
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/models/concerns/has_custom_fields.rb
View File

@ -172,7 +172,7 @@ module HasCustomFields
validate :custom_fields_max_items, unless: :custom_fields_clean?
validate :custom_fields_value_length, unless: :custom_fields_clean?
after_save :save_custom_fields
after_save { save_custom_fields(run_validations: false) }
end
attr_reader :preloaded_custom_fields
@ -265,7 +265,13 @@ module HasCustomFields
on_custom_fields_change
end
def save_custom_fields(force = false)
def save_custom_fields(force = false, run_validations: true)
if run_validations
custom_fields_max_items
custom_fields_value_length
raise_validation_error unless errors.empty?
end
if force || !custom_fields_clean?
ActiveRecord::Base.transaction do
dup = @custom_fields.dup.with_indifferent_access

1
spec/lib/concern/has_custom_fields_spec.rb
View File

@ -406,6 +406,7 @@ RSpec.describe HasCustomFields do
test_item.custom_fields = { "foo" => "aa" }
expect { test_item.save! }.to raise_error(ActiveRecord::RecordInvalid)
expect { test_item.save_custom_fields }.to raise_error(ActiveRecord::RecordInvalid)
end
describe "upsert_custom_fields" do