Use Date.parse instead of Time.now.parse to parse user controlled date

Date.parse is more robust when dealing with empty strings or out of the range dates
openSUSE · Oct 27, 2020 · d3b5601 · d3b5601
1 parent c559f51
commit d3b5601
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/src/api/app/jobs/project_create_auto_cleanup_requests_job.rb b/src/api/app/jobs/project_create_auto_cleanup_requests_job.rb
@@ -56,7 +56,7 @@ def autoclean_project(prj)
       attribute = prj.attribs.find_by_attrib_type_id(@cleanup_attribute.id)
       return unless attribute
 
-      time = Time.zone.parse(attribute.values.first.value)
+      time = Date.parse(attribute.values.first.value)
     rescue TypeError, ArgumentError
       # nil time raises TypeError
       return

diff --git a/src/api/spec/jobs/project_create_auto_cleanup_requests_job_spec.rb b/src/api/spec/jobs/project_create_auto_cleanup_requests_job_spec.rb
@@ -52,5 +52,23 @@
         expect(project.target_of_bs_request_actions.where(type: 'delete').count).to eq(0)
       end
     end
+
+    context 'with empty cleanup time' do
+      before do
+        attribute.values.first.value = ''
+        attribute.save
+      end
+
+      it { expect { subject }.not_to raise_error }
+    end
+
+    context 'with invalid cleanup time' do
+      before do
+        attribute.values.first.value = '200000'
+        attribute.save
+      end
+
+      it { expect { subject }.not_to raise_error }
+    end
   end
 end