SECURITY: SQL Injection in Admin List Active Users

2016-07-28 11:42:06 -04:00 · 2016-07-28 11:42:06 -04:00 · dc1a830d3d
parent 2f8ab8cd30
commit dc1a830d3d
2 changed files with 23 additions and 1 deletions
--- a/lib/admin_user_index_query.rb
+++ b/lib/admin_user_index_query.rb
@ -18,8 +18,20 @@ class AdminUserIndexQuery
    find_users_query.count
  end

+  def self.orderable_columns
+    %w(created_at days_visited posts_read_count topics_entered post_count trust_level)
+  end
+
  def initialize_query_with_order(klass)
-    order = [params[:order]]
+    order = []
+
+    custom_order = params[:order]
+    if custom_order.present? &&
+      without_dir = custom_order.downcase.sub(/ (asc|desc)$/, '')
+      if AdminUserIndexQuery.orderable_columns.include?(without_dir)
+        order << custom_order
+      end
+    end

    if params[:query] == "active"
      order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC"
--- a/spec/components/admin_user_index_query_spec.rb
+++ b/spec/components/admin_user_index_query_spec.rb
@ -16,6 +16,16 @@ describe AdminUserIndexQuery do
      query = ::AdminUserIndexQuery.new({ query: "active" })
      expect(query.find_users_query.to_sql).to match("last_seen_at")
    end
+
+    it "can't be injected" do
+      query = ::AdminUserIndexQuery.new({ order: "wat, no" })
+      expect(query.find_users_query.to_sql).not_to match("wat, no")
+    end
+
+    it "allows custom ordering" do
+      query = ::AdminUserIndexQuery.new({ order: "trust_level DESC" })
+      expect(query.find_users_query.to_sql).to match("trust_level DESC")
+    end
  end

  describe "no users with trust level" do