discourse/spec/lib
Alan Guo Xiang Tan bfc3132bb2
SECURITY: Impose a upper bound on limit params in various controllers
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:53:46 +01:00
..
auth DEV: Fix random typos (#22804) 2023-07-26 12:45:35 +02:00
backup_restore DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
common_passwords DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
compression DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
concern DEV: stop leaking data into tables during test (#21403) 2023-05-06 07:15:33 +10:00
content_security_policy DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
email DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
file_store FEATURE: allow S3 ACLs to be disabled (#21769) 2023-06-06 15:47:40 +10:00
final_destination DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
freedom_patches DEV: Update TranslateAccelerator missing translation string (#22158) 2023-06-16 15:28:03 +01:00
guardian FEATURE: Separated 'trusted users can edit others' setting for trust level 3 & 4 (#21493) 2023-07-07 10:48:14 -05:00
highlight_js DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
i18n DEV: Update I18n to 1.13.0 (#21685) 2023-05-24 08:59:37 +08:00
imap DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
import DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
middleware SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
migration DEV: Allow DROP NOT NULL in pre-deploy migrations (#20775) 2023-03-22 14:43:32 +00:00
onebox FIX: Update "Embed Motoko" Onebox URLs (#22198) 2023-07-26 09:41:01 +08:00
plugin DEV: Add Custom emoji sanitization (#22697) 2023-07-19 14:09:26 -05:00
pretty_text FIX: Hashtag error in PrettyText when processing email (#22680) 2023-07-19 10:52:18 +10:00
rate_limiter DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
scheduler DEV: Prevent defer stats exception when thread aborted (#19863) 2023-01-16 09:08:44 +11:00
second_factor DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
seed_data DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
site_settings DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
stylesheet DEV: Eliminate flakiness in specs that depend on plugins from fixtures (#21912) 2023-06-05 08:06:00 +08:00
summarization FEATURE: Inline topic summary. Cached version accessible to everyone. (#22551) 2023-07-12 11:21:51 -03:00
svg_sprite DEV: Eliminate flakiness in specs that depend on plugins from fixtures (#21912) 2023-06-05 08:06:00 +08:00
theme_store DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
topic_query FEATURE: Only list watching group messages in messages notifications panel (#20630) 2023-03-13 08:09:38 +08:00
validators DEV: Add some description to help with understanding flakey test failures (#22772) 2023-07-25 15:14:08 +08:00
webauthn DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
wizard DEV: Replace #pluck_first freedom patch with AR #pick in core (#19893) 2023-02-13 12:39:45 +08:00
admin_confirmation_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
admin_user_index_query_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
archetype_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
bookmark_manager_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
bookmark_query_spec.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
bookmark_reminder_notification_handler_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
browser_detection_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
cache_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
category_badge_spec.rb FIX: do not escape slash for category text description (#20460) 2023-02-27 12:48:48 +11:00
category_guardian_spec.rb FIX: Don't autojoin users when they have ready-only permissions (#20213) 2023-05-10 08:45:13 -03:00
color_math_spec.rb UX: Calculate missing hover/selected colors from existing colors (#20105) 2023-02-01 09:55:21 +00:00
composer_messages_finder_spec.rb DEV: Ensure don't feed the trolls feature considers active flags only (#22774) 2023-07-25 15:12:22 +08:00
content_buffer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
content_security_policy_spec.rb SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
cooked_post_processor_spec.rb DEV: Skip srcset for onebox thumbnails (#22621) 2023-07-19 12:21:34 -06:00
crawler_detection_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
current_user_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
db_helper_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
directory_helper_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
discourse_diff_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
discourse_event_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
discourse_hub_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
discourse_js_processor_spec.rb FIX: Ensure skip-module JS is transpiled correctly (#21224) 2023-04-24 17:39:02 +01:00
discourse_plugin_registry_spec.rb FEATURE: Add hooks for email poller plugins (#21384) 2023-06-26 13:16:03 +08:00
discourse_redis_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
discourse_sourcemapping_url_processor_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
discourse_spec.rb FEATURE: reduce avatar sizes to 6 from 20 (#21319) 2023-06-01 10:00:01 +10:00
discourse_tagging_spec.rb FIX: delete synonym tags if other synonyms are already exist. (#21885) 2023-06-02 19:47:29 +05:30
discourse_updates_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
distributed_cache_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
distributed_memoizer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
distributed_mutex_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
email_cook_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
email_updater_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
ember_cli_spec.rb DEV: Add test for EmberCli#ember_version (#18140) 2022-08-30 20:33:08 +01:00
encodings_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
enum_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
excerpt_parser_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
feed_element_installer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
feed_item_accessor_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
file_helper_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
filter_best_posts_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
final_destination_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
flag_settings_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
gaps_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
git_repo_spec.rb FEATURE: display commit hash for each plugin on /admin/plugins page. (#22176) 2023-06-26 10:09:57 +05:30
git_url_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
global_path_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
group_email_credentials_check_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
group_lookup_spec.rb FEATURE: display PM participant group names in the topics list. (#21677) 2023-05-31 19:32:06 +05:30
guardian_spec.rb FEATURE: Implement SiteSetting to Allow Anonymous Likes (#22131) 2023-07-21 21:21:07 +08:00
has_errors_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
hijack_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
html_prettify_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
html_to_markdown_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
image_sizer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
inline_oneboxer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
js_locale_helper_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
json_error_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
letter_avatar_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
message_id_service_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
method_profiler_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
mini_sql_multisite_connection_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
mobile_detection_spec.rb Drop support for iOS < 15.7 (#19847) 2023-01-16 17:28:59 +00:00
new_post_manager_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
new_post_result_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
onebox_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
oneboxer_spec.rb FIX: Use Twitter API v2 for oneboxes and restore OpenGraph fallback (#22187) 2023-06-22 14:39:02 -03:00
onpdiff_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
password_hasher_spec.rb FEATURE: Persist password hashing algorithm/params in database (#20980) 2023-04-11 10:16:28 +01:00
pbkdf2_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
pinned_check_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
plain_text_to_markdown_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_action_creator_spec.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
post_action_destroyer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_creator_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_destroyer_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
post_jobs_enqueuer_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
post_locker_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_merger_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
post_revisor_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
presence_channel_spec.rb DEV: handles presence channel configured with everyone group (#20741) 2023-03-20 16:56:43 +01:00
pretty_text_spec.rb FIX: Add aria-label attribute to cooked hashtags (#22182) 2023-06-20 15:47:17 +10:00
promotion_spec.rb FIX: Do not validate email in TL promotion (#20892) 2023-03-30 13:52:10 +10:00
quote_comparer_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
quote_rewriter_spec.rb DEV: Update display name in new quote format - Part 2 (#22104) 2023-06-26 11:01:59 +08:00
rate_limiter_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
retrieve_title_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
rtl_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
s3_cors_rulesets_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
s3_helper_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
s3_inventory_multisite_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
s3_inventory_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
score_calculator_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
scss_checker_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
search_spec.rb FEATURE: allow searching for oldest topics (#21715) 2023-05-24 18:26:36 +10:00
secure_session_spec.rb Add RSpec 4 compatibility (#17652) 2022-07-28 10:27:38 +08:00
shrink_uploaded_image_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
sidebar_section_links_updater_spec.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
site_icon_manager_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
site_setting_extension_multisite_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
site_setting_extension_spec.rb DEV: Add auto _map extension for simple/compact list SiteSettings (#20888) 2023-03-30 14:08:19 +10:00
slug_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
spam_handler_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
suggested_topics_builder_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
system_message_spec.rb FIX: Send TL2 promotion message to correct user (#21978) 2023-06-07 22:51:24 +03:00
text_cleaner_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
text_sentinel_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
theme_flag_modifier_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
theme_javascript_compiler_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
theme_settings_manager_spec.rb FIX: Use the default value correctly for theme settings of type uploads (#20541) 2023-03-06 11:41:47 +03:00
theme_settings_parser_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
timeline_lookup_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
tiny_japanese_segmenter_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
topic_creator_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
topic_publisher_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
topic_query_spec.rb FEATURE: allow user to override watched_precedence_over_muted setting (#22340) 2023-07-04 15:08:29 +10:00
topic_retriever_spec.rb FEATURE: Update topic/comment embedding parameters (#20181) 2023-02-28 14:31:59 +02:00
topic_upload_security_manager_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
topic_view_spec.rb DEV: add topic_query_suggested_options modifier (#20893) 2023-03-31 09:03:15 +11:00
topics_bulk_action_spec.rb SECURITY: Prevent dismissal of topics that user can't see (#22086) 2023-06-13 11:08:55 -06:00
topics_filter_spec.rb DEV: Add order:title filter to experimental /filter route (#22293) 2023-06-28 06:21:56 +08:00
trashable_spec.rb DEV: Added .only_deleted scope in the Trashable module (#20196) 2023-02-07 15:28:59 -03:00
trust_level_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
twitter_api_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
unread_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
upload_creator_spec.rb DEV: allow using CDN URL for all s3 uploads (#20755) 2023-07-12 12:06:49 +08:00
upload_markdown_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
upload_recovery_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
upload_security_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
url_helper_spec.rb SECURITY: Limit URL length for theme remote (#20787) 2023-03-23 12:01:04 +00:00
user_comm_screener_spec.rb DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
user_lookup_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
user_name_suggester_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
version_spec.rb DEV: Support version operators in .discourse-compatibility (#22714) 2023-07-25 14:04:39 +01:00