github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-21 14:06:14 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
439cc5b023
discourse/spec
History
Alan Guo Xiang Tan 439cc5b023
SECURITY: Impose a upper bound on limit params in various controllers 
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:56:35 +01:00
..
fabricators DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
fixtures DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
helpers DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
import_export DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
initializers DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
integration FIX: Query UploadReference in UploadSecurity for existing uploads (#19917) 2023-01-25 13:48:49 +02:00
integrity FIX: Fix incorrect hashtag setting migration (#19857) 2023-01-25 13:48:49 +02:00
jobs DEV: Fix threading error when running jobs immediately in system tests (#19811) 2023-01-10 13:41:25 +08:00
lib SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:56:35 +01:00
mailers DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
models SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:56:35 +01:00
multisite DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
requests SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:56:35 +01:00
script/import_scripts DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
serializers SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:56:35 +01:00
services SECURITY: Add FinalDestination::FastImage that's SSRF safe 2023-03-16 16:25:48 -06:00
support DEV: Introduce stub_ip_lookup spec helper (#20571) 2023-03-09 08:46:41 +08:00
system FIX: Failing system spec for rate limited search (#20046) 2023-02-01 19:05:58 -08:00
tasks DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
views DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
rails_helper.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:56:35 +01:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00