diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb index 296ceb6f4..64d762b1a 100644 --- a/app/controllers/assets_controller.rb +++ b/app/controllers/assets_controller.rb @@ -31,9 +31,8 @@ class AssetsController < ApplicationController 'asset-id' => @asset.id, 'image-tag-url' => @asset.url(:medium), 'preview-url' => asset_file_preview_path(@asset), - 'filename' => truncate(@asset.file_file_name, - length: - Constants::FILENAME_TRUNCATION_LENGTH), + 'filename' => truncate(escape_input(@asset.file_file_name), + length: Constants::FILENAME_TRUNCATION_LENGTH), 'download-url' => download_asset_path(@asset), 'type' => asset_data_type(@asset) }, status: 200 @@ -47,7 +46,7 @@ class AssetsController < ApplicationController 'id' => @asset.id, 'type' => (@asset.is_image? ? 'image' : 'file'), - 'filename' => truncate(@asset.file_file_name, + 'filename' => truncate(escape_input(@asset.file_file_name), length: Constants::FILENAME_TRUNCATION_LENGTH), 'download-url' => download_asset_path(@asset, timestamp: Time.now.to_i) } diff --git a/app/controllers/at_who_controller.rb b/app/controllers/at_who_controller.rb index beed49ab9..7c3c9275f 100644 --- a/app/controllers/at_who_controller.rb +++ b/app/controllers/at_who_controller.rb @@ -1,4 +1,6 @@ class AtWhoController < ApplicationController + include InputSanitizeHelper + before_action :load_vars before_action :check_users_permissions @@ -55,7 +57,7 @@ class AtWhoController < ApplicationController format.json do render json: { repositories: repositories.map do |r| - [r.id, r.name.truncate(Constants::ATWHO_REP_NAME_LIMIT)] + [r.id, escape_input(r.name.truncate(Constants::ATWHO_REP_NAME_LIMIT))] end.to_h, status: :ok } @@ -122,9 +124,8 @@ class AtWhoController < ApplicationController res.each do |obj| tmp = {} tmp['id'] = obj[0].base62_encode - tmp['full_name'] = - obj[1].truncate(Constants::NAME_TRUNCATION_LENGTH_DROPDOWN) - tmp['email'] = obj[2] + tmp['full_name'] = escape_input(obj[1].truncate(Constants::NAME_TRUNCATION_LENGTH_DROPDOWN)) + tmp['email'] = escape_input(obj[2]) tmp['img_url'] = avatar_path(obj[0], :icon_small) data << tmp end diff --git a/app/controllers/global_activities_controller.rb b/app/controllers/global_activities_controller.rb index ddf403edd..4a6619966 100644 --- a/app/controllers/global_activities_controller.rb +++ b/app/controllers/global_activities_controller.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class GlobalActivitiesController < ApplicationController + include InputSanitizeHelper + def index # Preload filter format # { @@ -109,7 +111,7 @@ class GlobalActivitiesController < ApplicationController .pluck(:id, :name) next if matched.length.zero? - results[subject] = matched.map { |pr| { id: pr[0], name: pr[1] } } + results[subject] = matched.map { |pr| { id: pr[0], name: escape_input(pr[1]) } } end respond_to do |format| format.json do diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb index 78202ee01..1efb3199b 100644 --- a/app/controllers/my_modules_controller.rb +++ b/app/controllers/my_modules_controller.rb @@ -414,6 +414,7 @@ class MyModulesController < ApplicationController repository: @repository.id, record_names: dowmstream_records[my_module.id].join(', ')) end + records_names.map! { |n| escape_input(n) } flash = I18n.t('repositories.assigned_records_flash', records: records_names.join(', ')) flash = I18n.t('repositories.assigned_records_downstream_flash', @@ -471,7 +472,7 @@ class MyModulesController < ApplicationController record_names: records.map(&:name).join(', ')) flash = I18n.t('repositories.unassigned_records_flash', - records: records.map(&:name).join(', ')) + records: records.map { |r| escape_input(r.name) }.join(', ')) respond_to do |format| format.json { render json: { flash: flash }, status: :ok } end diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 9d4141294..f1b56d258 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -104,7 +104,7 @@ class ProjectsController < ApplicationController up.save log_activity(:create_project) - message = t('projects.create.success_flash', name: @project.name) + message = t('projects.create.success_flash', name: escape_input(@project.name)) respond_to do |format| format.json { render json: { message: message }, status: :ok @@ -136,7 +136,7 @@ class ProjectsController < ApplicationController def update return_error = false - flash_error = t('projects.update.error_flash', name: @project.name) + flash_error = t('projects.update.error_flash', name: escape_input(@project.name)) # Check archive permissions if archiving/restoring if project_params.include? :archived @@ -147,7 +147,7 @@ class ProjectsController < ApplicationController return_error = true is_archive = project_params[:archived] == 'true' ? 'archive' : 'restore' flash_error = - t("projects.#{is_archive}.error_flash", name: @project.name) + t("projects.#{is_archive}.error_flash", name: escape_input(@project.name)) end elsif !can_manage_project?(@project) render_403 && return @@ -177,11 +177,11 @@ class ProjectsController < ApplicationController log_activity(:archive_project) if project_params[:archived] == 'true' log_activity(:restore_project) if project_params[:archived] == 'false' - flash_success = t('projects.update.success_flash', name: @project.name) + flash_success = t('projects.update.success_flash', name: escape_input(@project.name)) if project_params[:archived] == 'true' - flash_success = t('projects.archive.success_flash', name: @project.name) + flash_success = t('projects.archive.success_flash', name: escape_input(@project.name)) elsif project_params[:archived] == 'false' - flash_success = t('projects.restore.success_flash', name: @project.name) + flash_success = t('projects.restore.success_flash', name: escape_input(@project.name)) end respond_to do |format| format.html do diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb index 5cc222f69..ff64a0a95 100644 --- a/app/controllers/protocols_controller.rb +++ b/app/controllers/protocols_controller.rb @@ -601,7 +601,7 @@ class ProtocolsController < ApplicationController format.json do render json: { - name: p_name, new_name: protocol.name, status: :ok + name: escape_input(p_name), new_name: escape_input(protocol.name), status: :ok }, status: :ok end diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb index a3772a29c..4d81c1ea8 100644 --- a/app/controllers/repository_columns_controller.rb +++ b/app/controllers/repository_columns_controller.rb @@ -96,7 +96,7 @@ class RepositoryColumnsController < ApplicationController id: @repository_column.id, name: escape_input(@repository_column.name), message: t('libraries.repository_columns.update.success_flash', - name: @repository_column.name) + name: escape_input(@repository_column.name)) }, status: :ok else render json: { @@ -137,7 +137,7 @@ class RepositoryColumnsController < ApplicationController if @repository_column.destroy render json: { message: t('libraries.repository_columns.destroy.success_flash', - name: column_name), + name: escape_input(column_name)), id: column_id, status: :ok } diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index c2519e51b..fe8acc014 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -429,6 +429,7 @@ class RepositoryRowsController < ApplicationController .where(repository_column: cell.repository_column) .limit(Constants::SEARCH_LIMIT) .pluck(:id, :data) + .map { |li| [li[0], escape_input(li[1])] } end def fetch_columns_list_items @@ -442,6 +443,7 @@ class RepositoryRowsController < ApplicationController list_items: column.repository_list_items .limit(Constants::SEARCH_LIMIT) .pluck(:id, :data) + .map { |li| [li[0], escape_input(li[1])] } } end collection diff --git a/app/models/team.rb b/app/models/team.rb index 50103041f..f0827a728 100644 --- a/app/models/team.rb +++ b/app/models/team.rb @@ -2,6 +2,7 @@ class Team < ApplicationRecord include SearchableModel include ViewableModel include TeamBySubjectModel + include InputSanitizeHelper # Not really MVC-compliant, but we just use it for logger # output in space_taken related functions @@ -321,7 +322,7 @@ class Team < ApplicationRecord query = query.where(id: users_team) end query = query.where(id: team_by_subject(filters[:subjects])) if filters[:subjects] - query.select(:id, :name) + query.select(:id, :name).map { |res| [res[0], escape_input(res[1])] } end private diff --git a/app/models/user.rb b/app/models/user.rb index dcc659415..33cab21a2 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -5,6 +5,7 @@ class User < ApplicationRecord include User::TeamRoles include User::ProjectRoles include TeamBySubjectModel + include InputSanitizeHelper acts_as_token_authenticatable devise :invitable, :confirmable, :database_authenticatable, :registerable, @@ -553,7 +554,7 @@ class User < ApplicationRecord User.where(id: UserTeam.where(team_id: query_teams).select(:user_id)) .search(false, search_query) .select(:full_name, :id) - .map { |i| { name: i[:full_name], id: i[:id] } } + .map { |i| { name: escape_input(i[:full_name]), id: i[:id] } } end protected