SECURITY: correctly validate input when admin searches for screened ips

2024-12-16 02:28:33 +08:00 · 2017-02-06 16:10:48 -05:00 · 2017-02-06 16:10:48 -05:00 · 1d3f04d4bb
commit 1d3f04d4bb
parent 5fc70471be
2 changed files with 7 additions and 2 deletions
--- a/app/controllers/admin/screened_ip_addresses_controller.rb
+++ b/app/controllers/admin/screened_ip_addresses_controller.rb
@ -9,7 +9,7 @@ class Admin::ScreenedIpAddressesController < Admin::AdminController
    filter = IPAddr.handle_wildcards(filter)

    screened_ip_addresses = ScreenedIpAddress
-    screened_ip_addresses = screened_ip_addresses.where("cidr '#{filter}' >>= ip_address") if filter.present?
+    screened_ip_addresses = screened_ip_addresses.where("cidr :filter >>= ip_address", filter: filter) if filter.present?
    screened_ip_addresses = screened_ip_addresses.limit(200).order('match_count desc')

    begin
--- a/spec/controllers/admin/screened_ip_addresses_controller_spec.rb
+++ b/spec/controllers/admin/screened_ip_addresses_controller_spec.rb
@ -16,10 +16,15 @@ describe Admin::ScreenedIpAddressesController do
      Fabricate(:screened_ip_address, ip_address: "1.2.3.6")
      Fabricate(:screened_ip_address, ip_address: "4.5.6.7")

-      xhr :get, :index, filter: "4.*"
+      xhr :get, :index, filter: "1.2.*"

      expect(response).to be_success
+      result = JSON.parse(response.body)
+      expect(result.length).to eq(3)

+      xhr :get, :index, filter: "4.5.6.7"
+
+      expect(response).to be_success
      result = JSON.parse(response.body)
      expect(result.length).to eq(1)
    end