SECURITY: CSRF vulnerabilities in `Admin::BackupsController`.

2017-03-23 10:29:35 +08:00 · 2017-03-23 10:29:35 +08:00 · 3ef82bb32c
parent 11ce73b8ed
commit 3ef82bb32c
4 changed files with 49 additions and 32 deletions
--- a/app/assets/javascripts/admin/models/backup.js.es6
+++ b/app/assets/javascripts/admin/models/backup.js.es6
@ -34,15 +34,17 @@ Backup.reopenClass({
  },

  cancel() {
-    return ajax("/admin/backups/cancel.json")
-                    .then(result => {
-                      if (!result.success) { bootbox.alert(result.message); }
-                    });
+    return ajax("/admin/backups/cancel.json", {
+      type: 'DELETE'
+    }).then(result => {
+      if (!result.success) { bootbox.alert(result.message); }
+    });
  },

  rollback() {
-    return ajax("/admin/backups/rollback.json")
-                    .then(result => {
+    return ajax("/admin/backups/rollback.json", {
+      type: 'POST'
+    }).then(result => {
      if (!result.success) {
        bootbox.alert(result.message);
      } else {
--- a/config/routes.rb
+++ b/config/routes.rb
@ -242,8 +242,8 @@ Discourse::Application.routes.draw do
      collection do
        get "logs" => "backups#logs"
        get "status" => "backups#status"
-        get "cancel" => "backups#cancel"
-        get "rollback" => "backups#rollback"
+        delete "cancel" => "backups#cancel"
+        post "rollback" => "backups#rollback"
        put "readonly" => "backups#readonly"
        get "upload" => "backups#check_backup_chunk"
        post "upload" => "backups#upload_backup_chunk"
--- a/spec/controllers/admin/backups_controller_spec.rb
+++ b/spec/controllers/admin/backups_controller_spec.rb
@ -75,18 +75,6 @@ describe Admin::BackupsController do

    end

-    describe ".cancel" do
-
-      it "cancels an export" do
-        BackupRestore.expects(:cancel!)
-
-        xhr :delete, :cancel
-
-        expect(response).to be_success
-      end
-
-    end
-
    describe ".show" do

      it "uses send_file to transmit the backup" do
@ -212,18 +200,6 @@ describe Admin::BackupsController do

    end

-    describe ".rollback" do
-
-      it "rolls back to previous working state" do
-        BackupRestore.expects(:rollback!)
-
-        xhr :get, :rollback
-
-        expect(response).to be_success
-      end
-
-    end
-
    describe ".readonly" do

      it "enables readonly mode" do
--- a/spec/integration/admin/backups_spec.rb
+++ b/spec/integration/admin/backups_spec.rb
@ -0,0 +1,39 @@
+require 'rails_helper'
+
+RSpec.describe "Managing Backups" do
+  let(:admin) { Fabricate(:admin) }
+
+  before do
+    sign_in(admin)
+  end
+
+  describe 'rolling back a restore' do
+    it 'should rollback the restore' do
+      BackupRestore.expects(:rollback!)
+
+      post "/admin/backups/rollback.json"
+
+      expect(response).to be_success
+    end
+
+    it 'should not allow rollback via a GET request' do
+      expect { get "/admin/backups/rollback.json" }
+        .to raise_error(ActionController::RoutingError)
+    end
+  end
+
+  describe 'cancelling a backup' do
+    it "should cancel an backup" do
+      BackupRestore.expects(:cancel!)
+
+      delete "/admin/backups/cancel.json"
+
+      expect(response).to be_success
+    end
+
+    it 'should not allow cancel via a GET request' do
+      expect { get "/admin/backups/cancel.json" }
+        .to raise_error(ActionController::RoutingError)
+    end
+  end
+end