From 4494d625317894a3400b9865a35276c04b87523c Mon Sep 17 00:00:00 2001 From: Daniel Waterworth Date: Tue, 19 Dec 2023 11:57:47 -0600 Subject: [PATCH] SECURITY: Run custom field validations with save_custom_fields --- app/models/concerns/has_custom_fields.rb | 10 ++++++++-- spec/lib/concern/has_custom_fields_spec.rb | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/app/models/concerns/has_custom_fields.rb b/app/models/concerns/has_custom_fields.rb index 503103691d3..690c976430f 100644 --- a/app/models/concerns/has_custom_fields.rb +++ b/app/models/concerns/has_custom_fields.rb @@ -172,7 +172,7 @@ module HasCustomFields validate :custom_fields_max_items, unless: :custom_fields_clean? validate :custom_fields_value_length, unless: :custom_fields_clean? - after_save :save_custom_fields + after_save { save_custom_fields(run_validations: false) } end attr_reader :preloaded_custom_fields @@ -265,7 +265,13 @@ module HasCustomFields on_custom_fields_change end - def save_custom_fields(force = false) + def save_custom_fields(force = false, run_validations: true) + if run_validations + custom_fields_max_items + custom_fields_value_length + raise_validation_error unless errors.empty? + end + if force || !custom_fields_clean? ActiveRecord::Base.transaction do dup = @custom_fields.dup.with_indifferent_access diff --git a/spec/lib/concern/has_custom_fields_spec.rb b/spec/lib/concern/has_custom_fields_spec.rb index 8c7edc9f115..b23c8cc1834 100644 --- a/spec/lib/concern/has_custom_fields_spec.rb +++ b/spec/lib/concern/has_custom_fields_spec.rb @@ -406,6 +406,7 @@ RSpec.describe HasCustomFields do test_item.custom_fields = { "foo" => "aa" } expect { test_item.save! }.to raise_error(ActiveRecord::RecordInvalid) + expect { test_item.save_custom_fields }.to raise_error(ActiveRecord::RecordInvalid) end describe "upsert_custom_fields" do