Limit quick search possible classes and improve params check for reports and activities [SCI-11260] (#8034)

2024-11-15 05:34:53 +08:00 · 2024-11-12 16:37:42 +01:00 · 2024-11-12 16:37:42 +01:00 · 2d70773cda
commit 2d70773cda
parent 19aa77f14a
5 changed files with 38 additions and 3 deletions
--- a/app/controllers/global_activities_controller.rb
+++ b/app/controllers/global_activities_controller.rb
@ -151,7 +151,25 @@ class GlobalActivitiesController < ApplicationController
  end

  def activity_filter_params
-    params.permit(:name, filter: {})
+    params.permit(
+      :name,
+      filter: [
+        :to_date,
+        :from_date,
+        { types: [] },
+        { subjects: {
+          'Report' => [],
+          'Project' => [],
+          'MyModule' => [],
+          'Protocol' => [],
+          'Experiment' => [],
+          'RepositoryRow' => [],
+          'RepositoryBase' => []
+        } },
+        { users: [] },
+        { teams: [] }
+      ]
+    )
  end

  def activity_filters
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@ -361,7 +361,7 @@ class ReportsController < ApplicationController

  def report_params
    params.require(:report)
-          .permit(:name, :description, :grouped_by, :report_contents, settings: {})
+          .permit(:name, :description, :grouped_by, :report_contents, settings: permit_report_settings_structure(Report::DEFAULT_SETTINGS))
  end

  def search_params
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -145,7 +145,10 @@ class SearchController < ApplicationController

  def quick
    results = if params[:filter].present?
-                object_quick_search(params[:filter].singularize)
+                class_name = params[:filter].singularize
+                return render_422(t('general.invalid_params')) unless Constants::QUICK_SEARCH_SEARCHABLE_OBJECTS.include?(class_name)
+
+                object_quick_search(class_name)
              else
                Constants::QUICK_SEARCH_SEARCHABLE_OBJECTS.filter_map do |object|
                  next if object == 'label_template' && !LabelTemplate.enabled?
--- a/app/helpers/reports_helper.rb
+++ b/app/helpers/reports_helper.rb
@ -106,4 +106,17 @@ module ReportsHelper
      experiment_element.experiment.description
    end
  end
+
+  def permit_report_settings_structure(settings_definition)
+    settings_definition.each_with_object([]) do |(key, value), permitted|
+      permitted << case value
+                   when Hash
+                     { key => permit_report_settings_structure(value) }
+                   when Array
+                     { key => [] }
+                   else
+                     key
+                   end
+    end
+  end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -4305,6 +4305,7 @@ en:
    comment_placeholder: "Your Message"
    comment_placeholder_new: "Add new comment…"
    archived: "Archived"
+    invalid_params: "Invalid params"
    sort:
      title: "Sorting"
      new_html: "Started last"