Soverein/sanasto-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix vulnerabilities
CI / scan_ruby (push) Successful in 23s
Details
CI / scan_js (push) Failing after 10s
Details
CI / lint (push) Failing after 19s
Details
CI / test (push) Failing after 16s
Details
CI / system-test (push) Failing after 15s
Details

Browse Source
This commit is contained in:
Runar Ingebrigtsen
2026-01-26 21:38:17 +01:00
parent 35f10c4bda
commit a69be52b72
6 changed files with 54 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin/invitations_controller.rb
+7 -1
View File
@@ -44,6 +44,12 @@ class Admin::InvitationsController < Admin::BaseController
private
def invitation_params
params.require(:user).permit(:email, :name, :role, :primary_language)
permitted = params.require(:user).permit(:email, :name, :primary_language)
if params[:user][:role].present? && User.roles.key?(params[:user][:role])
permitted[:role] = params[:user][:role]
end
permitted
end
end
app/controllers/admin/users_controller.rb
+16 -3
View File
@@ -3,14 +3,20 @@ class Admin::UsersController < Admin::BaseController
def index
@users = User.order(created_at: :desc)
@users = @users.where(role: params[:role]) if params[:role].present?
@users = @users.where("email LIKE ?", "%#{params[:q]}%") if params[:q].present?
.by_role(params[:role])
.search_email(params[:q])
end
def edit
end
def update
# Prevent users from modifying their own role
if @user == current_user && user_params[:role].present?
redirect_to admin_users_path, alert: "You cannot modify your own role."
return
end
if @user.update(user_params)
redirect_to admin_users_path, notice: "User updated successfully."
else
@@ -40,6 +46,13 @@ class Admin::UsersController < Admin::BaseController
end
def user_params
params.require(:user).permit(:name, :email, :role, :primary_language)
permitted = params.require(:user).permit(:name, :email, :primary_language)
# Only allow role if it's a valid role enum value
if params[:user][:role].present? && User.roles.key?(params[:user][:role])
permitted[:role] = params[:user][:role]
end
permitted
end
end
app/controllers/entries_controller.rb
+7 -1
View File
@@ -2,7 +2,7 @@ class EntriesController < ApplicationController
before_action :set_entry, only: [ :show, :edit, :update ]
def index
@language_code = params[:language].presence
@language_code = validate_language_code(params[:language].presence)
@category = params[:category].presence
@query = params[:q].to_s.strip
@starts_with = params[:starts_with].presence
@@ -79,4 +79,10 @@ class EntriesController < ApplicationController
def entry_params
params.require(:entry).permit(:category)
end
def validate_language_code(code)
return nil if code.blank?
SupportedLanguage.valid_codes.include?(code) ? code : nil
end
end
app/models/entry.rb
+1 -1
View File
@@ -35,7 +35,7 @@ class Entry < ApplicationRecord
return none unless valid_lang?(language_code)
where.not(language_code => [ nil, "" ])
.order(Arel.sql("#{language_code} ASC"))
.order(arel_table[language_code].asc)
end
private
app/models/user.rb
+3
View File
@@ -21,6 +21,9 @@ class User < ApplicationRecord
validates :email, presence: true, uniqueness: true
validates :password, length: { minimum: 12 }, if: -> { password.present? }
scope :by_role, ->(role) { where(role: role) if role.present? }
scope :search_email, ->(q) { where("email LIKE ?", "%#{sanitize_sql_like(q)}%") if q.present? }
# Invitation token expires after 14 days
INVITATION_TOKEN_EXPIRY = 14.days
docs/TODO.md
+20 -11
View File
@@ -22,6 +22,24 @@
- [ ] Contributor permissions enforcement (for entry editing)
- [ ] Reviewer permissions enforcement (for review queue)
## Security & Vulnerabilities
- [x] **Fixed user-controlled method execution** (HIGH)
- Added language code validation in EntriesController
- Prevents arbitrary method execution via `public_send()`
- [x] **Fixed SQL injection in Entry model** (MEDIUM)
- Replaced string interpolation with Arel safe column references
- Changed `Arel.sql("#{language_code} ASC")` to `arel_table[language_code].asc`
- [x] **Fixed mass assignment vulnerabilities** (MEDIUM)
- Added role validation in admin invitations and user management
- Only allows valid enum role values
- Prevents users from modifying their own role
- [x] **Fixed SQL LIKE injection** (MEDIUM)
- Added `sanitize_sql_like()` for email search in UsersController
- Prevents wildcard injection attacks
**Status:** All Brakeman security warnings resolved ✓
## Core Features
### Search & Browse
@@ -119,24 +137,15 @@
---
## Completed
## Completed (Not Tracked Above)
- [x] **Invitation system** (complete flow with email, acceptance, and expiry validation)
- [x] **Invitation acceptance flow** (users can accept invitations and set passwords)
- [x] **Invitation mailer** (HTML and text email templates with styled design)
- [x] **Token expiry validation** (14-day expiration for invitation links)
- [x] **Controller tests** (40 tests with 160+ assertions for authentication)
- [x] **Authentication system** (login/logout with session management)
- [x] **Admin layout design** updated to match entries page style
- [x] **Dynamic navigation** (Admin button for logged-in admins, Sign In for guests)
- [x] **Authorization middleware** (Admin::BaseController with role checks)
- [x] **Invitation token generation** (secure token creation for new users)
- [x] **Controller tests** (40 tests with 160+ assertions for authentication)
- [x] **Search input loses focus on filter change**
- [x] **Mismatched enum syntax** in models
- [x] **Replace hardcoded LANGUAGE_COLUMNS** with dynamic query
- [x] **Improve fixture quality** (resolved foreign key violations)
- [x] **XLSX download** button for entries
- [x] **FTS5 integration** (migration added)
- [x] **Database schema** implementation (all models and migrations)
- [x] **Supported languages** table with seed data
- [x] **Filters do not update with new search results**