Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix possible XSS issues (#365)
* some fixes for old migrations, that allows new migrations

* force ssl default true unless env var

* check address no html tags
  • Loading branch information
sonic182 committed Oct 19, 2021
1 parent 7e56c6a commit 924d160
Show file tree
Hide file tree
Showing 22 changed files with 28 additions and 20 deletions.
4 changes: 4 additions & 0 deletions app/models/common.rb
Expand Up @@ -31,6 +31,10 @@ class Common < ActiveRecord::Base
validates :email,
format: {with: /\A([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,})\z/i,
message: "Only valid emails"}, allow_blank: true
validates :invoicing_address, format: { without: /<(.*)>.*?|<(.*) \/>/,
message: "wrong format" }
validates :shipping_address, format: { without: /<(.*)>.*?|<(.*) \/>/,
message: "wrong format" }

# Events
after_save :purge_items
Expand Down
4 changes: 4 additions & 0 deletions app/models/customer.rb
Expand Up @@ -11,6 +11,10 @@ class Customer < ActiveRecord::Base
# Validation
validate :valid_customer_identification
validates_uniqueness_of :name, scope: :identification
validates :invoicing_address, format: { without: /<(.*)>.*?|<(.*) \/>/,
message: "Wrong address format" }
validates :shipping_address, format: { without: /<(.*)>.*?|<(.*) \/>/,
message: "Wrong address format" }

# Behaviors
acts_as_taggable
Expand Down
2 changes: 1 addition & 1 deletion config/environments/production.rb
Expand Up @@ -47,7 +47,7 @@
# config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]

# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
config.force_ssl = ENV['NO_FORCE_SSL'].present? ? false : true

# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20160907152236_default_for_enabled.rb
@@ -1,4 +1,4 @@
class DefaultForEnabled < ActiveRecord::Migration
class DefaultForEnabled < ActiveRecord::Migration[4.2]
def change
change_column_default(:commons, :enabled, true)
change_column_default(:commons, :draft, false)
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20160908093323_add_indexes_on_deleted_column.rb
@@ -1,4 +1,4 @@
class AddIndexesOnDeletedColumn < ActiveRecord::Migration
class AddIndexesOnDeletedColumn < ActiveRecord::Migration[4.2]
def change
add_index :commons, :deleted_at
add_index :customers, :deleted_at
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20160913081503_remove_status_from_commons.rb
@@ -1,4 +1,4 @@
class RemoveStatusFromCommons < ActiveRecord::Migration
class RemoveStatusFromCommons < ActiveRecord::Migration[4.2]
def change
remove_column :commons, :status
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20160915000824_add_active_to_customer.rb
@@ -1,4 +1,4 @@
class AddActiveToCustomer < ActiveRecord::Migration
class AddActiveToCustomer < ActiveRecord::Migration[4.2]
def up
add_column :customers, :active, :boolean, default: true
Customer.update_all ["active = ?", true]
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20160915094942_add_failed_to_commons.rb
@@ -1,4 +1,4 @@
class AddFailedToCommons < ActiveRecord::Migration
class AddFailedToCommons < ActiveRecord::Migration[4.2]
def change
add_column :commons, :failed, :boolean, default: false
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20160923100618_series_first_number.rb
@@ -1,4 +1,4 @@
class SeriesFirstNumber < ActiveRecord::Migration
class SeriesFirstNumber < ActiveRecord::Migration[4.2]
def change
add_column :series, :first_number, :integer, default: 1
remove_column :series, :next_number
Expand Down
@@ -1,4 +1,4 @@
class EmailAndPrintTemplateToCommon < ActiveRecord::Migration
class EmailAndPrintTemplateToCommon < ActiveRecord::Migration[4.2]
def change
rename_column :commons, :template_id, :print_template_id
add_column :commons, :email_template_id, :integer
Expand Down
@@ -1,4 +1,4 @@
class EmailAndPrintDefaultTemplatesToTemplate < ActiveRecord::Migration
class EmailAndPrintDefaultTemplatesToTemplate < ActiveRecord::Migration[4.2]
def change
rename_column :templates, :default, :print_default
add_column :templates, :email_default, :boolean, default: false
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20161025134552_change_customer_index.rb
@@ -1,4 +1,4 @@
class ChangeCustomerIndex < ActiveRecord::Migration
class ChangeCustomerIndex < ActiveRecord::Migration[4.2]
def change
remove_index "customers", name: "cstm_idx"
add_index "customers", ["name", "identification"], name: "cstm_idx", unique: true, using: :btree
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20161026092553_add_template_subject.rb
@@ -1,4 +1,4 @@
class AddTemplateSubject < ActiveRecord::Migration
class AddTemplateSubject < ActiveRecord::Migration[4.2]
def change
add_column :templates, :subject, :string, limit: 200
end
Expand Down
@@ -1,4 +1,4 @@
class AddInvoiceNumberUniqueNumber < ActiveRecord::Migration
class AddInvoiceNumberUniqueNumber < ActiveRecord::Migration[4.2]
def change
add_index "commons", ["number", "series_id"], name: "common_unique_number_idx", unique: true, using: :btree
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20161207184222_remove_tax_amount.rb
@@ -1,4 +1,4 @@
class RemoveTaxAmount < ActiveRecord::Migration
class RemoveTaxAmount < ActiveRecord::Migration[4.2]
def change
remove_column :commons, :tax_amount
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20161208171651_remove_commons_amounts.rb
@@ -1,4 +1,4 @@
class RemoveCommonsAmounts < ActiveRecord::Migration
class RemoveCommonsAmounts < ActiveRecord::Migration[4.2]
def change
remove_column :commons, :discount_amount
remove_column :commons, :base_amount
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20170112115658_remove_invoice_unique_number.rb
@@ -1,4 +1,4 @@
class RemoveInvoiceUniqueNumber < ActiveRecord::Migration
class RemoveInvoiceUniqueNumber < ActiveRecord::Migration[4.2]
def change
remove_index "commons", name: "common_unique_number_idx"
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20170209101048_remove_customers_unique_name.rb
@@ -1,4 +1,4 @@
class RemoveCustomersUniqueName < ActiveRecord::Migration
class RemoveCustomersUniqueName < ActiveRecord::Migration[4.2]
def change
remove_index "customers", name: "cstm_idx"
end
Expand Down
@@ -1,4 +1,4 @@
class AddUniqueIndexToInvoiceSeriesAndNumber < ActiveRecord::Migration
class AddUniqueIndexToInvoiceSeriesAndNumber < ActiveRecord::Migration[4.2]
def change
add_index "commons", ["series_id", "number"], name: "common_unique_number_idx", unique: true, using: :btree
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20170217120023_add_deleted_number_to_commons.rb
@@ -1,4 +1,4 @@
class AddDeletedNumberToCommons < ActiveRecord::Migration
class AddDeletedNumberToCommons < ActiveRecord::Migration[4.2]
def change
add_column :commons, :deleted_number, :integer, default: nil
add_index "commons", ["series_id", "deleted_number"], name: "common_deleted_number_idx", using: :btree
Expand Down
@@ -1,4 +1,4 @@
class AddCommonsCustomerIdNotNull < ActiveRecord::Migration
class AddCommonsCustomerIdNotNull < ActiveRecord::Migration[4.2]
def change
change_column :commons, :customer_id, :integer, :null => false
end
Expand Down
2 changes: 1 addition & 1 deletion db/migrate/20170608155530_add_currency_to_commons.rb
@@ -1,4 +1,4 @@
class AddCurrencyToCommons < ActiveRecord::Migration
class AddCurrencyToCommons < ActiveRecord::Migration[4.2]
def up
add_column :commons, :currency, :string, limit: 3
currency = Settings.currency
Expand Down

0 comments on commit 924d160

Please sign in to comment.