Soverein/sanasto-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix vulnerabilities
CI / scan_ruby (push) Successful in 23s
Details
CI / scan_js (push) Failing after 10s
Details
CI / lint (push) Failing after 19s
Details
CI / test (push) Failing after 16s
Details
CI / system-test (push) Failing after 15s
Details

Browse Source
This commit is contained in:
Runar Ingebrigtsen
2026-01-26 21:38:17 +01:00
parent 35f10c4bda
commit a69be52b72
6 changed files with 54 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/TODO.md
+20 -11
View File
@@ -22,6 +22,24 @@
- [ ] Contributor permissions enforcement (for entry editing)
- [ ] Reviewer permissions enforcement (for review queue)
## Security & Vulnerabilities
- [x] **Fixed user-controlled method execution** (HIGH)
- Added language code validation in EntriesController
- Prevents arbitrary method execution via `public_send()`
- [x] **Fixed SQL injection in Entry model** (MEDIUM)
- Replaced string interpolation with Arel safe column references
- Changed `Arel.sql("#{language_code} ASC")` to `arel_table[language_code].asc`
- [x] **Fixed mass assignment vulnerabilities** (MEDIUM)
- Added role validation in admin invitations and user management
- Only allows valid enum role values
- Prevents users from modifying their own role
- [x] **Fixed SQL LIKE injection** (MEDIUM)
- Added `sanitize_sql_like()` for email search in UsersController
- Prevents wildcard injection attacks
**Status:** All Brakeman security warnings resolved ✓
## Core Features
### Search & Browse
@@ -119,24 +137,15 @@
---
## Completed
## Completed (Not Tracked Above)
- [x] **Invitation system** (complete flow with email, acceptance, and expiry validation)
- [x] **Invitation acceptance flow** (users can accept invitations and set passwords)
- [x] **Invitation mailer** (HTML and text email templates with styled design)
- [x] **Token expiry validation** (14-day expiration for invitation links)
- [x] **Controller tests** (40 tests with 160+ assertions for authentication)
- [x] **Authentication system** (login/logout with session management)
- [x] **Admin layout design** updated to match entries page style
- [x] **Dynamic navigation** (Admin button for logged-in admins, Sign In for guests)
- [x] **Authorization middleware** (Admin::BaseController with role checks)
- [x] **Invitation token generation** (secure token creation for new users)
- [x] **Controller tests** (40 tests with 160+ assertions for authentication)
- [x] **Search input loses focus on filter change**
- [x] **Mismatched enum syntax** in models
- [x] **Replace hardcoded LANGUAGE_COLUMNS** with dynamic query
- [x] **Improve fixture quality** (resolved foreign key violations)
- [x] **XLSX download** button for entries
- [x] **FTS5 integration** (migration added)
- [x] **Database schema** implementation (all models and migrations)
- [x] **Supported languages** table with seed data
- [x] **Filters do not update with new search results**