Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec
History
Ted Johansson 07f87ff7a8
DEV: Strictly filter tag search limit parameter input (#21524) 
### What is the problem?

It is possible to pass an arbitrary value to the limit parameter in `TagsController#search`, and have it flow through `DiscourseTagging.filter_allowed_tags` where it will raise an error deep in the database driver. MiniSql ensures there's no injection happening, but that ultimately results in an invalid query.

### How does this fix it?

This change checks more strictly that the parameter can be cleanly converted to an integer by replacing the loose `#to_i` conversion semantics with the stronger `Kernel#Integer` ones.

**Example:**

```ruby
"1; SELECT 1".to_i
#=> 1

Integer("1; SELECT 1")
#=> ArgumentError
```

As part of the change, I also went ahead to disallow a limit of "0", as that doesn't seem to be a useful option. Previously only negative limits were disallowed.
 		2023-05-12 16:49:14 +08:00
..
fabricators DEV: Define form template field inputs (#20430) 2023-03-01 11:07:13 -08:00
fixtures FIX: email receiver should ignore x-auto-response-suppress 2023-05-03 12:20:00 -04:00
helpers DEV: Replace #pluck_first freedom patch with AR #pick in core (#19893) 2023-02-13 12:39:45 +08:00
import_export DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 11:49:28 +00:00
initializers FEATURE: Add support for user badge revocation webhook events (#21204) 2023-04-24 20:36:40 +00:00
integration DEV: Update the rubocop setup (#20668) 2023-03-14 11:42:11 +01:00
integrity DEV: Colocate wizard component templates (#20309) 2023-02-15 11:29:22 +00:00
jobs DEV: Disable SearchIndexer after fabrication (#21378) 2023-05-04 09:20:52 +08:00
lib DEV: Stub stderr instead of manual change (#21511) 2023-05-11 21:18:55 +02:00
mailers FIX: Likes received count in digest email (#21458) 2023-05-09 19:19:26 +02:00
models DEV: Gracefully handle user avatar download SSRF errors (#21523) 2023-05-12 15:32:02 +08:00
multisite DEV: Add plugin hook for transforming site setting defaults (#20941) 2023-04-05 12:28:16 +01:00
requests DEV: Strictly filter tag search limit parameter input (#21524) 2023-05-12 16:49:14 +08:00
script/import_scripts DEV: Correct syntax_tree violations 2023-02-02 13:03:11 +00:00
serializers FEATURE: Enable user tips by default (#21341) 2023-05-08 20:33:08 +03:00
services FIX: Hashtag subcategory ref incorrect when not highest-ranked type (#21163) 2023-04-20 09:03:55 +10:00
support FEATURE: Enable user tips by default (#21341) 2023-05-08 20:33:08 +03:00
system FEATURE: Default to subcategory when parent category does not allow posting (#21228) 2023-05-10 12:34:39 -05:00
tasks DEV: Capture output in hashtags spec (#20773) 2023-03-23 11:47:14 +10:00
views FEATURE: add category name in articleSection meta tag for schema. (#21004) 2023-04-06 23:30:19 +05:30
rails_helper.rb DEV: Reset capybara sessions and default driver after each test (#21402) 2023-05-05 11:37:04 +08:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 11:49:28 +00:00