[api] mass-assignment is needed for xml object handover. Disallow has…

…hed parameter values instead to ensure that we have no undetected leak yet.
openSUSE · Mar 9, 2012 · 6fd139a · 6fd139a
1 parent d16e1ad
commit 6fd139a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/src/api/app/controllers/application_controller.rb b/src/api/app/controllers/application_controller.rb
@@ -8,6 +8,7 @@
 
 class InvalidHttpMethodError < Exception; end
 class MissingParameterError < Exception; end
+class InvalidParameterError < Exception; end
 class IllegalRequestError < Exception; end
 class IllegalEncodingError < Exception; end
 class UserNotFoundError < Exception; end
@@ -43,6 +44,7 @@ class ApplicationController < ActionController::Base
   before_filter :setup_backend, :add_api_version, :restrict_admin_pages
   before_filter :shutup_rails
   before_filter :set_current_user
+  before_filter :validate_params
 
   #contains current authentification method, one of (:proxy, :basic)
   attr_accessor :auth_method
@@ -112,6 +114,14 @@ def extract_user_public
     return true
   end
 
+  def validate_params
+    params.each do |p|
+      if not p[1].nil? and p[1].class != String
+        raise InvalidParameterError, "Parameter #{p[0]} has non String class #{p[1].class}"
+      end
+    end
+  end
+
   def extract_user
     mode = :basic
     mode = ICHAIN_MODE if defined? ICHAIN_MODE
@@ -488,6 +498,8 @@ def rescue_action_in_public( exception )
       render_error :message => exception.message, :status => 404, :errorcode => "not_found"
     when MissingParameterError
       render_error :status => 400, :message => exception.message, :errorcode => "missing_parameter"
+    when InvalidParameterError
+      render_error :status => 400, :message => exception.message, :errorcode => "invalid_parameter"
     when DbProject::CycleError
       render_error :status => 400, :message => exception.message, :errorcode => "project_cycle"
     when DbProject::DeleteError

diff --git a/src/api/config/environment.rb b/src/api/config/environment.rb
@@ -86,10 +86,6 @@
   end unless Rails.env.test?
 end
 
-# we do not mass assignment features. It should be no problem to have it,
-# but to be on the safe side for a potential security problem we disable it by default.
-ActiveRecord::Base.send(:attr_accessible, nil)
-
 # rake gems:install doesn't load initializers, load options manually if CONFIG is undefined
 require File.join(File.dirname(__FILE__), 'initializers', 'options') unless defined?(CONFIG)
 

diff --git a/src/api/test/functional/about_controller_test.rb b/src/api/test/functional/about_controller_test.rb
@@ -12,4 +12,10 @@ def test_about
     assert_tag( :tag => "about", :descendant => { :tag => "revision" } )
   end
 
+  def test_application_controller
+    get "/about?user[asd]=yxc"
+    assert_response 400
+    assert_tag( :tag => "status", :attributes => { :code => "invalid_parameter" } )
+  end
+
 end