github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 06:43:44 +08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
e9a8c059ec
discourse/spec/requests
History
Daniel Waterworth e9a8c059ec
SECURITY: Prevent large staff actions causing DoS 
This commit operates at three levels of abstraction:

 1. We want to prevent user history rows from being unbounded in size.
    This commit adds rails validations to limit the sizes of columns on
    user_histories,

 2. However, we don't want to prevent certain actions from being
    completed if these columns are too long. In those cases, we truncate
    the values that are given and store the truncated versions,

 3. For endpoints that perform staff actions, we can further control
    what is permitted by explicitly validating the params that are given
    before attempting the action,
2024-03-15 14:37:15 +08:00
..
admin SECURITY: Prevent large staff actions causing DoS 2024-03-15 14:37:15 +08:00
api FEATURE: Enable passkeys by default (#25340) 2024-01-23 17:23:26 +01:00
examples SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
about_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
application_controller_spec.rb DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
associate_accounts_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
badges_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
bookmarks_controller_spec.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
categories_controller_spec.rb FIX: category selectors for lazy loaded categories (#24533) 2023-12-08 12:01:08 +02:00
clicks_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
composer_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
composer_messages_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
csp_reports_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
directory_columns_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
directory_items_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
do_not_disturb_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
drafts_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
edit_directory_columns_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
email_controller_spec.rb FEATURE: remove category badge style options, set bullet style as default (#24198) 2023-11-13 10:46:15 -05:00
embed_controller_spec.rb DEV: Fix assertion in embedding test (#24694) 2023-12-05 18:30:52 +02:00
exceptions_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
export_csv_controller_spec.rb SECURITY: Prevent large staff actions causing DoS 2024-03-15 14:37:15 +08:00
extra_locales_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
finish_installation_controller_spec.rb DEV: Improve error message when test fails (#25067) 2023-12-29 12:44:41 +08:00
form_templates_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
forums_controller_spec.rb DEV: Correct forums_controller success spec (#24690) 2023-12-04 14:26:29 +00:00
groups_controller_spec.rb FIX: Allow staff to change group members visibility level for automatic groups (#25281) 2024-01-17 12:54:52 -05:00
hashtags_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
highlightjs_controller_spec.rb FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661) 2023-12-01 12:57:11 +00:00
inline_onebox_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
invites_controller_spec.rb DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
list_controller_spec.rb DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
metadata_controller_spec.rb DEV: Fix various rubocop lints (#24749) 2023-12-06 23:25:00 +01:00
noscript_escape_spec.rb SECURITY: Properly escape user content within <noscript> 2024-01-30 09:10:09 -07:00
notifications_controller_spec.rb FEATURE: Site setting to display user avatars in user menu (#24514) 2023-12-07 11:30:44 -06:00
offline_controller_spec.rb Add RSpec 4 compatibility (#17652) 2022-07-28 10:27:38 +08:00
omniauth_callbacks_controller_spec.rb FIX: Flaky spec due to incorrect Rack response body (#24640) 2023-11-30 10:49:55 +08:00
onebox_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
permalinks_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
post_action_users_controller_spec.rb DEV: Convert min_trust_to_flag_posts setting to groups (#24864) 2023-12-13 17:18:42 +08:00
post_actions_controller_spec.rb DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
post_readers_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
posts_controller_spec.rb DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
presence_controller_spec.rb FIX: Updating presence status in readonly mode should fail gracefully (#24333) 2023-11-10 14:27:43 -06:00
published_pages_controller_spec.rb DEV: Fix various spec linting issues (#24672) 2023-12-04 13:45:19 +01:00
push_notification_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
qunit_controller_spec.rb DEV: Stop building test assets in production under Embroider (#23388) 2023-09-11 09:12:37 +01:00
reviewable_claimed_topics_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
reviewables_controller_spec.rb DEV: Convert min_trust_to_flag_posts setting to groups (#24864) 2023-12-13 17:18:42 +08:00
robots_txt_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
safe_mode_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
search_controller_spec.rb FIX: Search by tag context was broken (#23006) 2023-08-08 15:15:34 -04:00
session_controller_spec.rb FIX: Webauthn origin was incorrect for subfolder setups (#25651) (#25654) 2024-02-13 08:37:51 -05:00
sidebar_sections_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
similar_topics_controller_spec.rb DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
site_controller_spec.rb DEV: Ability to collect stats without exposing them via API (#23933) 2023-11-10 00:44:05 +04:00
sitemap_controller_spec.rb DEV: Fix various rubocop lints (#24749) 2023-12-06 23:25:00 +01:00
slugs_controller_spec.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
static_controller_spec.rb DEV: Fix various rubocop lints (#24749) 2023-12-06 23:25:00 +01:00
steps_controller_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
stylesheets_controller_spec.rb DEV: Fix test incorrectly removing stylesheet cache of other processes (#25103) 2024-01-03 13:15:35 +08:00
svg_sprite_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
tag_groups_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
tags_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
theme_javascripts_controller_spec.rb DEV: Compile theme migrations javascript files when running theme qunit (#25219) 2024-01-16 09:50:44 +08:00
topics_controller_spec.rb DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
uploads_controller_multisite_spec.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
uploads_controller_spec.rb DEV: Remove full group refreshes from tests (#25414) 2024-01-25 14:28:26 +08:00
user_actions_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
user_api_keys_controller_spec.rb DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
user_avatars_controller_spec.rb FEATURE: reduce avatar sizes to 6 from 20 (#21319) 2023-06-01 10:00:01 +10:00
user_badges_controller_spec.rb DEV: Incorrect setup for test (#24736) 2023-12-06 09:26:45 +08:00
user_status_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
users_controller_spec.rb FIX: Webauthn origin was incorrect for subfolder setups (#25651) (#25654) 2024-02-13 08:37:51 -05:00
users_email_controller_spec.rb DEV: Update confirm-email flows to use central 2fa and ember rendering (#25404) 2024-01-30 10:32:42 +00:00
webhooks_controller_spec.rb FEATURE: Add Mailpace webhook (#21981) 2023-06-08 20:06:20 +03:00
wizard_controller_spec.rb DEV: Fix various spec linting issues (#24672) 2023-12-04 13:45:19 +01:00