nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #8351 into next-minor

Browse source
This commit is contained in:
Dennis Schubert 2022-04-27 20:33:59 +02:00
commit 9212fd3f46
No known key found for this signature in database
GPG key ID: 5A0304BEA7966D7E
4 changed files with 69 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -2,6 +2,7 @@
## Security
* Bump Rails to 5.2.7 to address [CVE-2022-22577](https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533) and [CVE-2022-27777](https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534) [#8350](https://github.com/diaspora/diaspora/pull/8350)
* Do not allow the user to mass assign their own password and 2fa settings alongside other parameters. Reported by Breno Vitório (@brenu) - thank you! [#8351](https://github.com/diaspora/diaspora/pull/8351)
## Refactor

41
app/controllers/users_controller.rb
View file

@ -18,25 +18,17 @@ class UsersController < ApplicationController
end
def update
password_changed = false
user_data = user_params
@user = current_user
if user_data
# change password
if params[:change_password]
password_changed = change_password(user_data)
else
update_user(user_data)
end
if params[:change_password] && user_password_params
password_changed = change_password(user_password_params)
return redirect_to new_user_session_path if password_changed
elsif user_params
update_user(user_params)
end
if password_changed
redirect_to new_user_session_path
else
set_email_preferences
render :edit
end
set_email_preferences
render :edit
end
def update_privacy_settings
@ -137,13 +129,9 @@ class UsersController < ApplicationController
private
# rubocop:disable Metrics/MethodLength
def user_params
params.fetch(:user).permit(
:email,
:current_password,
:password,
:password_confirmation,
:language,
:color_theme,
:disable_mail,
@ -152,12 +140,17 @@ class UsersController < ApplicationController
:auto_follow_back_aspect_id,
:getting_started,
:post_default_public,
:otp_required_for_login,
:otp_secret,
email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym)
)
end
# rubocop:enable Metrics/MethodLength
def user_password_params
params.fetch(:user).permit(
:current_password,
:password,
:password_confirmation
)
end
def update_user(user_data)
if user_data[:email_preferences]
@ -177,8 +170,8 @@ class UsersController < ApplicationController
end
end
def change_password(user_data)
if @user.update_with_password(user_data)
def change_password(password_params)
if @user.update_with_password(password_params)
flash[:notice] = t("users.update.password_changed")
true
else

1
app/views/two_factor_authentications/_activate.haml
View file

@ -6,6 +6,5 @@
.well= t("two_factor_auth.deactivated.status")
= form_for "user", url: two_factor_authentication_path, html: {method: :post} do |f|
= f.hidden_field :otp_required_for_login, value: true
.clearfix.form-group= f.submit t("two_factor_auth.deactivated.change_button"),
class: "btn btn-primary pull-right"

73
spec/controllers/users_controller_spec.rb
View file

@ -110,38 +110,67 @@ describe UsersController, :type => :controller do
end
end
describe '#update' do
before do
@params = { :id => @user.id,
:user => { :diaspora_handle => "notreal@stuff.com" } }
describe "#update" do
context "with random params" do
let(:params) { {id: @user.id, user: {diaspora_handle: "notreal@stuff.com"}} }
it "doesn't overwrite random attributes" do
expect {
put :update, params: params
}.not_to change(@user, :diaspora_handle)
end
it "renders the user edit page" do
put :update, params: params
expect(response).to render_template('edit')
end
end
it "doesn't overwrite random attributes" do
expect {
put :update, params: @params
}.not_to change(@user, :diaspora_handle)
end
it 'renders the user edit page' do
put :update, params: @params
expect(response).to render_template('edit')
end
describe 'password updates' do
describe "password updates" do
let(:password_params) do
{:current_password => 'bluepin7',
:password => "foobaz",
:password_confirmation => "foobaz"}
{current_password: "bluepin7", password: "foobaz", password_confirmation: "foobaz"}
end
let(:params) do
{id: @user.id, user: password_params, change_password: 'Change Password'}
{id: @user.id, user: password_params, change_password: "Change Password"}
end
before do
allow(@controller).to receive(:current_user).and_return(@user)
allow(@user).to receive(:update_with_password)
allow(@user).to receive(:update_attributes)
end
it "uses devise's update with password" do
expect(@user).to receive(:update_with_password).with(hash_including(password_params))
allow(@controller).to receive(:current_user).and_return(@user)
put :update, params: params
expect(@user).to have_received(:update_with_password).with(hash_including(password_params))
expect(@user).not_to have_received(:update_attributes).with(hash_including(password_params))
end
it "does not update the password without the change_password param" do
put :update, params: params.except(:change_password).deep_merge(user: {language: "de"})
expect(@user).not_to have_received(:update_with_password).with(hash_including(password_params))
expect(@user).not_to have_received(:update_attributes).with(hash_including(password_params))
expect(@user).to have_received(:update_attributes).with(hash_including(language: "de"))
end
end
context "with otp params" do
let(:otp_params) { {otp_required_for_login: false, otp_secret: "mykey"} }
let(:params) { {id: @user.id, user: otp_params} }
before do
allow(@controller).to receive(:current_user).and_return(@user)
allow(@user).to receive(:update_attributes)
end
it "does not accept the params" do
put :update, params: params
expect(@user).not_to have_received(:update_attributes)
.with(hash_including(:otp_required_for_login, :otp_secret))
end
end