From 1d3f04d4bbf195369ea0e7e719990a28508809fd Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 6 Feb 2017 16:10:48 -0500 Subject: [PATCH] SECURITY: correctly validate input when admin searches for screened ips --- app/controllers/admin/screened_ip_addresses_controller.rb | 2 +- .../admin/screened_ip_addresses_controller_spec.rb | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/screened_ip_addresses_controller.rb b/app/controllers/admin/screened_ip_addresses_controller.rb index bb7064b9dc2..31df2a6b8eb 100644 --- a/app/controllers/admin/screened_ip_addresses_controller.rb +++ b/app/controllers/admin/screened_ip_addresses_controller.rb @@ -9,7 +9,7 @@ class Admin::ScreenedIpAddressesController < Admin::AdminController filter = IPAddr.handle_wildcards(filter) screened_ip_addresses = ScreenedIpAddress - screened_ip_addresses = screened_ip_addresses.where("cidr '#{filter}' >>= ip_address") if filter.present? + screened_ip_addresses = screened_ip_addresses.where("cidr :filter >>= ip_address", filter: filter) if filter.present? screened_ip_addresses = screened_ip_addresses.limit(200).order('match_count desc') begin diff --git a/spec/controllers/admin/screened_ip_addresses_controller_spec.rb b/spec/controllers/admin/screened_ip_addresses_controller_spec.rb index 64cbfa0f80d..2ababc1a49e 100644 --- a/spec/controllers/admin/screened_ip_addresses_controller_spec.rb +++ b/spec/controllers/admin/screened_ip_addresses_controller_spec.rb @@ -16,10 +16,15 @@ describe Admin::ScreenedIpAddressesController do Fabricate(:screened_ip_address, ip_address: "1.2.3.6") Fabricate(:screened_ip_address, ip_address: "4.5.6.7") - xhr :get, :index, filter: "4.*" + xhr :get, :index, filter: "1.2.*" expect(response).to be_success + result = JSON.parse(response.body) + expect(result.length).to eq(3) + xhr :get, :index, filter: "4.5.6.7" + + expect(response).to be_success result = JSON.parse(response.body) expect(result.length).to eq(1) end