mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 02:53:42 +08:00
SECURITY: correctly validate input when admin searches for screened ips
This commit is contained in:
parent
5fc70471be
commit
1d3f04d4bb
|
@ -9,7 +9,7 @@ class Admin::ScreenedIpAddressesController < Admin::AdminController
|
|||
filter = IPAddr.handle_wildcards(filter)
|
||||
|
||||
screened_ip_addresses = ScreenedIpAddress
|
||||
screened_ip_addresses = screened_ip_addresses.where("cidr '#{filter}' >>= ip_address") if filter.present?
|
||||
screened_ip_addresses = screened_ip_addresses.where("cidr :filter >>= ip_address", filter: filter) if filter.present?
|
||||
screened_ip_addresses = screened_ip_addresses.limit(200).order('match_count desc')
|
||||
|
||||
begin
|
||||
|
|
|
@ -16,10 +16,15 @@ describe Admin::ScreenedIpAddressesController do
|
|||
Fabricate(:screened_ip_address, ip_address: "1.2.3.6")
|
||||
Fabricate(:screened_ip_address, ip_address: "4.5.6.7")
|
||||
|
||||
xhr :get, :index, filter: "4.*"
|
||||
xhr :get, :index, filter: "1.2.*"
|
||||
|
||||
expect(response).to be_success
|
||||
result = JSON.parse(response.body)
|
||||
expect(result.length).to eq(3)
|
||||
|
||||
xhr :get, :index, filter: "4.5.6.7"
|
||||
|
||||
expect(response).to be_success
|
||||
result = JSON.parse(response.body)
|
||||
expect(result.length).to eq(1)
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user