Feature/add sanitize to prevent xss (LINCnil#169)

* feat: configure sanitize and add example

* feat: sanitize name, author, evaluator, validator

* feat: add some sanitize overwrite

* fix: fix for l.38 on evoluations_controller

.env-example

@@ -6,4 +6,6 @@ DEVISE_SECRET_KEY=
 DEVISE_PEPPER=
 MAILER_SENDER=
 DEFAULT_URL=
-DEFAULT_PORT=
+DEFAULT_PORT=
+SANITIZED_ALLOWED_TAGS="strong em a ul li"
+SANITIZED_ALLOWED_ATTRIBUTES="href title"

app/controllers/evaluations_controller.rb

@@ -35,7 +35,7 @@ def create
   # PATCH/PUT /evaluations/1
   def update
     if @evaluation.update(evaluation_params)
-      @evaluation.evaluation_infos = JSON.parse(params['evaluation']["evaluation_infos"]) if params['evaluation']["evaluation_infos"]
+      @evaluation.evaluation_infos = JSON.parse(params['evaluation']["evaluation_infos"]) if params.dig("evaluation", "evaluation_infos")
       @evaluation.global_status = 0 if @evaluation.status == 1 && evaluation_params["global_status"].blank?
       @evaluation.save
       render json: serialize(@evaluation)

app/models/evaluation.rb

@@ -1,11 +1,14 @@
 class Evaluation < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   belongs_to :pia, inverse_of: :evaluations
   validates :reference_to, presence: true
   attr_accessor :evaluation_infos
 
   after_create :email_for_evaluation! if ENV['ENABLE_AUTHENTICATION'].present?
   after_update :email_for_validation! if ENV['ENABLE_AUTHENTICATION'].present?
 
+  after_initialize :overwrite_to_safety_values
+
   def email_for_evaluation!
     return unless self.evaluation_infos.present?
 
@@ -32,4 +35,8 @@ def email_for_validation!
 
     UserMailer.with(validator: validator, pia: self.pia).section_ready_for_validation.deliver_now
   end
+
+  def overwrite_to_safety_values
+    self.evaluation_comment = sanitize read_attribute(:evaluation_comment)
+  end
 end

app/models/pia.rb

@@ -1,4 +1,5 @@
 class Pia < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   has_many :answers, inverse_of: :pia, dependent: :destroy
   has_many :comments, inverse_of: :pia, dependent: :destroy
   has_many :evaluations, inverse_of: :pia, dependent: :destroy
@@ -10,6 +11,8 @@ class Pia < ApplicationRecord
   belongs_to :structure, optional: true
   validates :name, presence: true
 
+  after_initialize :overwrite_to_safety_values
+
   def self.import(json_string)
     json = JSON.parse(json_string)
     json.each do |pia_in|
@@ -48,6 +51,14 @@ def duplicate
     @clone
   end
 
+  def overwrite_to_safety_values
+    self.name = sanitize read_attribute(:name)
+    self.author_name = sanitize read_attribute(:author_name)
+    self.evaluator_name = sanitize read_attribute(:evaluator_name)
+    self.validator_name = sanitize read_attribute(:validator_name)
+    self.category = sanitize read_attribute(:category)
+  end
+
   private
 
   def duplicate_self

app/models/structure.rb

@@ -1,3 +1,10 @@
 class Structure < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   has_many :pias, dependent: :nullify
+  after_initialize :overwrite_to_safety_values
+
+  def overwrite_to_safety_values
+    self.name = sanitize read_attribute(:name)
+    self.sector_name = sanitize read_attribute(:sector_name)
+  end
 end

config/application.rb

@@ -41,5 +41,10 @@ class Application < Rails::Application
     config.i18n.available_locales = [:bg, :cs, :da, :de, :el, :en, :es, :et,
                                      :fi, :fr, :hr, :hu, :it, :lt, :lv, :nl,
                                      :no, :pl, :pt, :ro, :sl, :sv]
+
+    tags_allowed = ENV['SANITIZED_ALLOWED_TAGS'] ? ENV['SANITIZED_ALLOWED_TAGS'].split(' ') : []
+    config.action_view.sanitized_allowed_tags = tags_allowed
+    attributes_allowed = ENV['SANITIZED_ALLOWED_ATTRIBUTES'] ? ENV['SANITIZED_ALLOWED_ATTRIBUTES'].split(' ') : []
+    config.action_view.sanitized_allowed_attributes = attributes_allowed
   end
 end