Skip to content

VEN-99 Add brakeman #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

VEN-99 Add brakeman #59

wants to merge 1 commit into from

Conversation

@aleksandarpetrushev
Copy link

@aleksandarpetrushev aleksandarpetrushev commented Nov 29, 2021

No description provided.

@aleksandarpetrushev
Copy link
Author

aleksandarpetrushev commented Nov 29, 2021

@damianlegawiec Does not run at all

@aleksandarpetrushev
Copy link
Author

aleksandarpetrushev commented Nov 29, 2021
edited
Loading

For https://codeclimate.com/github/spree/spree_backend/app/controllers/spree/admin/promotion_actions_controller.rb?from_sha=31a4e70c&to_sha=fc8404a7 we need to eager load all promotion actions (in development environment) for being able to search Spree::PromotionAction.descendants, and not .constantize the :action_type parameter directly. In other environments they will be loaded automatically.

damianlegawiec
damianlegawiec reviewed Nov 29, 2021
View reviewed changes
damianlegawiec
damianlegawiec reviewed Nov 30, 2021
View reviewed changes
app/controllers/spree/admin/promotion_rules_controller.rb

def promotion_rule_params
params[:promotion_rule].permit!
params[:promotion_rule].permit(:type)
Copy link
Member

@damianlegawiec damianlegawiec Nov 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aleksandarpetrushev what about user_id or product_group_id attributes for this model? or preferences?

Copy link
Author

@aleksandarpetrushev aleksandarpetrushev Nov 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@damianlegawiec we have a similar situation such as in payment_methods_controller. promotion_rules_controller is used only for #create and #destroy. When creating a promotion rule, we know the type only. The additional attributes are sent in PromotionsController#update as nested "promotion_rules_attributes", after the promotion rules have been created. Tested for all promotion rules, only the type is sent.

@damianlegawiec
Copy link
Member

damianlegawiec commented Nov 30, 2021

@aleksandarpetrushev I see there are still 7 issues listed by CC - what's the plan for them?

@aleksandarpetrushev
Copy link
Author

aleksandarpetrushev commented Nov 30, 2021
edited
Loading

@aleksandarpetrushev I see there are still 7 issues listed by CC - what's the plan for them?

@damianlegawiec
for the critical one: #59 (comment)

  • 2 of them are related to sending variable parameters (such as payment provider settings)
  • one is in the resource_controller, so I assumed (maybe wrongly) that we should not touch that one
  • first(".icon-#{type}").click is a possible SQL injection, although we are always passing in args like :edit, I can whitelist those
  • I need to look into the last two

@aleksandarpetrushev
Copy link
Author

aleksandarpetrushev commented Nov 30, 2021

@damianlegawiec So to sum it up we have 5 issues left:

  1. and 2. are because of many different preferences we can send
  2. whitelisting all params in resource_controller
  3. not really possible sql injection (the method name is first) it is actually a test helper
  4. the most critical one - we need to eager load some models in spree/spree

So how should we proceed?

@aleksandarpetrushev aleksandarpetrushev force-pushed the fix/brakeman branch 2 times, most recently from 21fd767 to 8166695 Compare January 11, 2022 10:06
@aleksandarpetrushev
Copy link
Author

aleksandarpetrushev commented Jan 11, 2022

Continues at #106

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damianlegawiec damianlegawiec damianlegawiec approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aleksandarpetrushev @damianlegawiec