Improve HTML data escaping in JSON endpoints [SCI-3403]

2025-11-11 00:41:41 +08:00 · 2019-05-08 17:38:24 +02:00 · 2019-05-08 17:38:24 +02:00 · 40550f92c9
commit 40550f92c9
parent d5e2398f5c
10 changed files with 28 additions and 21 deletions
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -31,9 +31,8 @@ class AssetsController < ApplicationController
            'asset-id' => @asset.id,
            'image-tag-url' => @asset.url(:medium),
            'preview-url' => asset_file_preview_path(@asset),
-            'filename' => truncate(@asset.file_file_name,
+            'filename' => truncate(escape_input(@asset.file_file_name),
-                                   length:
+                                   length: Constants::FILENAME_TRUNCATION_LENGTH),
                                     Constants::FILENAME_TRUNCATION_LENGTH),
            'download-url' => download_asset_path(@asset),
            'type' => asset_data_type(@asset)
          }, status: 200
@ -47,7 +46,7 @@ class AssetsController < ApplicationController
      'id' => @asset.id,
      'type' => (@asset.is_image? ? 'image' : 'file'),
-      'filename' => truncate(@asset.file_file_name,
+      'filename' => truncate(escape_input(@asset.file_file_name),
                             length: Constants::FILENAME_TRUNCATION_LENGTH),
      'download-url' => download_asset_path(@asset, timestamp: Time.now.to_i)
    }
--- a/app/controllers/at_who_controller.rb
+++ b/app/controllers/at_who_controller.rb
@ -1,4 +1,6 @@
 class AtWhoController < ApplicationController
  include InputSanitizeHelper
  before_action :load_vars
  before_action :check_users_permissions
@ -55,7 +57,7 @@ class AtWhoController < ApplicationController
      format.json do
        render json: {
          repositories: repositories.map do |r|
-            [r.id, r.name.truncate(Constants::ATWHO_REP_NAME_LIMIT)]
+            [r.id, escape_input(r.name.truncate(Constants::ATWHO_REP_NAME_LIMIT))]
          end.to_h,
          status: :ok
        }
@ -122,9 +124,8 @@ class AtWhoController < ApplicationController
    res.each do |obj|
      tmp = {}
      tmp['id'] = obj[0].base62_encode
-      tmp['full_name'] =
+      tmp['full_name'] = escape_input(obj[1].truncate(Constants::NAME_TRUNCATION_LENGTH_DROPDOWN))
-        obj[1].truncate(Constants::NAME_TRUNCATION_LENGTH_DROPDOWN)
+      tmp['email'] = escape_input(obj[2])
      tmp['email'] = obj[2]
      tmp['img_url'] = avatar_path(obj[0], :icon_small)
      data << tmp
    end
--- a/app/controllers/global_activities_controller.rb
+++ b/app/controllers/global_activities_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true
 class GlobalActivitiesController < ApplicationController
  include InputSanitizeHelper
  def index
    # Preload filter format
    #   {
@ -109,7 +111,7 @@ class GlobalActivitiesController < ApplicationController
                       .pluck(:id, :name)
      next if matched.length.zero?
-      results[subject] = matched.map { |pr| { id: pr[0], name: pr[1] } }
+      results[subject] = matched.map { |pr| { id: pr[0], name: escape_input(pr[1]) } }
    end
    respond_to do |format|
      format.json do
--- a/app/controllers/my_modules_controller.rb
+++ b/app/controllers/my_modules_controller.rb
@ -414,6 +414,7 @@ class MyModulesController < ApplicationController
                       repository: @repository.id,
                       record_names: dowmstream_records[my_module.id].join(', '))
        end
        records_names.map! { |n| escape_input(n) }
        flash = I18n.t('repositories.assigned_records_flash',
                       records: records_names.join(', '))
        flash = I18n.t('repositories.assigned_records_downstream_flash',
@ -471,7 +472,7 @@ class MyModulesController < ApplicationController
                     record_names: records.map(&:name).join(', '))
        flash = I18n.t('repositories.unassigned_records_flash',
-                       records: records.map(&:name).join(', '))
+                       records: records.map { |r| escape_input(r.name) }.join(', '))
        respond_to do |format|
          format.json { render json: { flash: flash }, status: :ok }
        end
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@ -104,7 +104,7 @@ class ProjectsController < ApplicationController
      up.save
      log_activity(:create_project)
-      message = t('projects.create.success_flash', name: @project.name)
+      message = t('projects.create.success_flash', name: escape_input(@project.name))
      respond_to do |format|
        format.json {
          render json: { message: message }, status: :ok
@ -136,7 +136,7 @@ class ProjectsController < ApplicationController
  def update
    return_error = false
-    flash_error = t('projects.update.error_flash', name: @project.name)
+    flash_error = t('projects.update.error_flash', name: escape_input(@project.name))
    # Check archive permissions if archiving/restoring
    if project_params.include? :archived
@ -147,7 +147,7 @@ class ProjectsController < ApplicationController
        return_error = true
        is_archive = project_params[:archived] == 'true' ? 'archive' : 'restore'
        flash_error =
-          t("projects.#{is_archive}.error_flash", name: @project.name)
+          t("projects.#{is_archive}.error_flash", name: escape_input(@project.name))
      end
    elsif !can_manage_project?(@project)
      render_403 && return
@ -177,11 +177,11 @@ class ProjectsController < ApplicationController
      log_activity(:archive_project) if project_params[:archived] == 'true'
      log_activity(:restore_project) if project_params[:archived] == 'false'
-      flash_success = t('projects.update.success_flash', name: @project.name)
+      flash_success = t('projects.update.success_flash', name: escape_input(@project.name))
      if project_params[:archived] == 'true'
-        flash_success = t('projects.archive.success_flash', name: @project.name)
+        flash_success = t('projects.archive.success_flash', name: escape_input(@project.name))
      elsif project_params[:archived] == 'false'
-        flash_success = t('projects.restore.success_flash', name: @project.name)
+        flash_success = t('projects.restore.success_flash', name: escape_input(@project.name))
      end
      respond_to do |format|
        format.html do
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@ -601,7 +601,7 @@ class ProtocolsController < ApplicationController
        format.json do
          render json: {
-            name: p_name, new_name: protocol.name, status: :ok
+            name: escape_input(p_name), new_name: escape_input(protocol.name), status: :ok
          },
          status: :ok
        end
--- a/app/controllers/repository_columns_controller.rb
+++ b/app/controllers/repository_columns_controller.rb
@ -96,7 +96,7 @@ class RepositoryColumnsController < ApplicationController
              id: @repository_column.id,
              name: escape_input(@repository_column.name),
              message: t('libraries.repository_columns.update.success_flash',
-                         name: @repository_column.name)
+                         name: escape_input(@repository_column.name))
            }, status: :ok
          else
            render json: {
@ -137,7 +137,7 @@ class RepositoryColumnsController < ApplicationController
        if @repository_column.destroy
          render json: {
            message: t('libraries.repository_columns.destroy.success_flash',
-                       name: column_name),
+                       name: escape_input(column_name)),
            id: column_id,
            status: :ok
          }
--- a/app/controllers/repository_rows_controller.rb
+++ b/app/controllers/repository_rows_controller.rb
@ -429,6 +429,7 @@ class RepositoryRowsController < ApplicationController
                      .where(repository_column: cell.repository_column)
                      .limit(Constants::SEARCH_LIMIT)
                      .pluck(:id, :data)
                      .map { |li| [li[0], escape_input(li[1])] }
  end
  def fetch_columns_list_items
@ -442,6 +443,7 @@ class RepositoryRowsController < ApplicationController
        list_items: column.repository_list_items
                          .limit(Constants::SEARCH_LIMIT)
                          .pluck(:id, :data)
                          .map { |li| [li[0], escape_input(li[1])] }
      }
    end
    collection
--- a/app/models/team.rb
+++ b/app/models/team.rb
@ -2,6 +2,7 @@ class Team < ApplicationRecord
  include SearchableModel
  include ViewableModel
  include TeamBySubjectModel
  include InputSanitizeHelper
  # Not really MVC-compliant, but we just use it for logger
  # output in space_taken related functions
@ -321,7 +322,7 @@ class Team < ApplicationRecord
      query = query.where(id: users_team)
    end
    query = query.where(id: team_by_subject(filters[:subjects])) if filters[:subjects]
-    query.select(:id, :name)
+    query.select(:id, :name).map { |res| [res[0], escape_input(res[1])] }
  end
  private
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -5,6 +5,7 @@ class User < ApplicationRecord
  include User::TeamRoles
  include User::ProjectRoles
  include TeamBySubjectModel
  include InputSanitizeHelper
  acts_as_token_authenticatable
  devise :invitable, :confirmable, :database_authenticatable, :registerable,
@ -553,7 +554,7 @@ class User < ApplicationRecord
    User.where(id: UserTeam.where(team_id: query_teams).select(:user_id))
        .search(false, search_query)
        .select(:full_name, :id)
-        .map { |i| { name: i[:full_name], id: i[:id] } }
+        .map { |i| { name: escape_input(i[:full_name]), id: i[:id] } }
  end
  protected