Skip to content
Permalink
Browse files Browse the repository at this point in the history
Reinforcement of security.
Signed-off-by: MORITA Shintaro <shin@sysphonic.com>
  • Loading branch information
MORITA Shintaro committed Jul 12, 2015
1 parent 842e44f commit 1b82347
Show file tree
Hide file tree
Showing 33 changed files with 138 additions and 90 deletions.
6 changes: 1 addition & 5 deletions app/controllers/items_controller.rb
Expand Up @@ -354,12 +354,8 @@ def destroy
if params[:from_action].nil?
render(:text => params[:id])
else
params.delete(:controller)
params.delete(:action)
params.delete(:id)
flash[:notice] = t('msg.delete_success')
params[:action] = params[:from_action]
redirect_to(params)
self.send(params[:from_action])
end
end

Expand Down
2 changes: 1 addition & 1 deletion app/controllers/locations_controller.rb
Expand Up @@ -45,7 +45,7 @@ def open_map
con_second = []
key_array = params[:keyword].split(nil)
key_array.each do |key|
key_quot = ActiveRecord::Base.connection.quote(key)
key_quot = SqlHelper.quote(key)
con_prim << "(name=#{key_quot} or fullname=#{key_quot} or email=#{key_quot})"
con_second << SqlHelper.get_sql_like([:name, :fullname, :email], key)
end
Expand Down
2 changes: 0 additions & 2 deletions app/controllers/templates_controller.rb
Expand Up @@ -170,8 +170,6 @@ def destroy_local
def copy
Log.add_info(request, params.inspect)

return unless request.post?

tmpl_id = params[:thetisBoxSelKeeper].split(':').last
tmpl_item = Item.find(tmpl_id)

Expand Down
4 changes: 2 additions & 2 deletions app/controllers/zeptair_post_controller.rb
Expand Up @@ -93,7 +93,7 @@ def query
end

unless zeptair_id.blank?
target_user = User.where("zeptair_id=#{zeptair_id}").first
target_user = User.where("zeptair_id=#{zeptair_id.to_i}").first
end

if target_user.nil?
Expand Down Expand Up @@ -153,7 +153,7 @@ def delete_attachment

unless zeptair_id.blank?

target_user = User.where("zeptair_id=#{zeptair_id}").first
target_user = User.where("zeptair_id=#{zeptair_id.to_i}").first

unless @login_user.admin?(User::AUTH_ZEPTAIR) or @login_user.id == target_user.id
target_user = nil
Expand Down
8 changes: 5 additions & 3 deletions app/helpers/items_helper.rb
Expand Up @@ -27,7 +27,7 @@ def self.get_next_revision(user_id, source_id)

SqlHelper.validate_token([user_id, source_id])

copied_items = Item.where("user_id=#{user_id} and source_id=#{source_id}").order('created_at DESC').to_a
copied_items = Item.where("user_id=#{user_id.to_i} and source_id=#{source_id.to_i}").order('created_at DESC').to_a

rev = 0
copied_items.each do |item|
Expand All @@ -54,7 +54,8 @@ def self.get_copies_folder(user_id)
my_folder = User.get_my_folder(user_id)

unless my_folder.nil?
con = "(parent_id=#{my_folder.id}) and (name='#{Item.copies_folder}')"
folder_name_quot = SqlHelper.quote(Item.copies_folder)
con = "(parent_id=#{my_folder.id}) and (name=#{folder_name_quot})"

begin
copies_folder = Folder.where(con).first
Expand Down Expand Up @@ -89,7 +90,8 @@ def self.exists_copies_folder?(user_id)
my_folder = User.get_my_folder(user_id)

unless my_folder.nil?
con = "(parent_id=#{my_folder.id}) and (name='#{Item.copies_folder}')"
folder_name_quot = SqlHelper.quote(Item.copies_folder)
con = "(parent_id=#{my_folder.id}) and (name=#{folder_name_quot})"

begin
copies_folder = Folder.where(con).first
Expand Down
14 changes: 13 additions & 1 deletion app/helpers/sql_helper.rb
Expand Up @@ -51,7 +51,7 @@ def self.validate_token(tokens, extra_chars=nil)
#
def self.get_sql_like(attr_names, keyword)

key = ActiveRecord::Base.connection.quote("%#{SqlHelper.escape_for_like(keyword)}%")
key = SqlHelper.quote("%#{SqlHelper.escape_for_like(keyword)}%")

con = []
attr_names.each do |attr_name|
Expand All @@ -74,4 +74,16 @@ def self.escape_for_like(str)
return nil if str.nil?
return str.to_s.gsub(/([%_])/){"\\" + $1}
end

#=== self.quote
#
#Quotes string.
#
#_str_:: Target string.
#return:: Quoted string.
#
def self.quote(str)

return ActiveRecord::Base.connection.quote(str)
end
end
9 changes: 5 additions & 4 deletions app/helpers/templates_helper.rb
Expand Up @@ -31,7 +31,7 @@ module TemplatesHelper
def self.setup_tmpl_folder

begin
tmpl_folder = Folder.where("folders.name='#{TMPL_ROOT}'").first
tmpl_folder = Folder.where(name: TMPL_ROOT).first
rescue
end
if tmpl_folder.nil?
Expand Down Expand Up @@ -117,7 +117,7 @@ def self.setup_tmpl_folder
#
def self.get_tmpl_folder

tmpl_folder = Folder.where("folders.name='#{TMPL_ROOT}'").first
tmpl_folder = Folder.where(name: TMPL_ROOT).first

if tmpl_folder.nil?

Expand Down Expand Up @@ -168,10 +168,11 @@ def self.get_tmpl_subfolder(name)

SqlHelper.validate_token([name])

tmpl_folder = Folder.where("folders.name='#{TMPL_ROOT}'").first
tmpl_folder = Folder.where(name: TMPL_ROOT).first

unless tmpl_folder.nil?
con = "(parent_id=#{tmpl_folder.id}) and (name='#{name}')"
name_quot = SqlHelper.quote(name)
con = "(parent_id=#{tmpl_folder.id}) and (name=#{name_quot})"
begin
child = Folder.where(con).first
rescue => evar
Expand Down
4 changes: 2 additions & 2 deletions app/helpers/tree_element.rb
Expand Up @@ -100,7 +100,7 @@ def self.get_childs(klass, node_id, recursive, ret_obj)

else

nodes = klass.where("parent_id=#{node_id}").order('xorder ASC, id ASC').to_a
nodes = klass.where("parent_id=#{node_id.to_i}").order('xorder ASC, id ASC').to_a
if ret_obj
array = nodes
else
Expand Down Expand Up @@ -139,7 +139,7 @@ def self.get_tree(klass, tree, conditions, node_id, order_by)
else
con = Marshal.load(Marshal.dump(conditions)) + ' and '
end
con << "(parent_id=#{node_id})"
con << "(parent_id=#{node_id.to_i})"

tree[node_id] = klass.where(con).order(order_by).to_a

Expand Down
6 changes: 3 additions & 3 deletions app/helpers/zeptair_dist_helper.rb
Expand Up @@ -63,7 +63,7 @@ def self.get_comment_of(item_id, user_id)

SqlHelper.validate_token([item_id, user_id])
begin
comment = Comment.where("(user_id=#{user_id}) and (item_id=#{item_id}) and (xtype='#{Comment::XTYPE_DIST_ACK}')").first
comment = Comment.where("(user_id=#{user_id.to_i}) and (item_id=#{item_id.to_i}) and (xtype='#{Comment::XTYPE_DIST_ACK}')").first
rescue => evar
Log.add_error(nil, evar)
end
Expand Down Expand Up @@ -145,7 +145,7 @@ def self.completed_ack_message(item_id)
#
def self.count_ack_users(item_id)
SqlHelper.validate_token([item_id])
return Comment.where("(item_id=#{item_id}) and (xtype='#{Comment::XTYPE_DIST_ACK}')").count
return Comment.where("(item_id=#{item_id.to_i}) and (xtype='#{Comment::XTYPE_DIST_ACK}')").count
end

#=== self.count_completed_users
Expand All @@ -158,7 +158,7 @@ def self.count_ack_users(item_id)
def self.count_completed_users(item_id)
SqlHelper.validate_token([item_id])
ack_msg = ZeptairDistHelper.completed_ack_message(item_id)
return Comment.where("(item_id=#{item_id}) and (xtype='#{Comment::XTYPE_DIST_ACK}') and (message='#{ack_msg}')").count
return Comment.where("(item_id=#{item_id.to_i}) and (xtype='#{Comment::XTYPE_DIST_ACK}') and (message='#{ack_msg}')").count
end

#=== self.get_feeds
Expand Down
8 changes: 4 additions & 4 deletions app/models/email.rb
Expand Up @@ -622,7 +622,7 @@ def self.trim(user_id, mail_account_id, max)
SqlHelper.validate_token([user_id, mail_account_id])

begin
count = Email.where("mail_account_id=#{mail_account_id}").count
count = Email.where("mail_account_id=#{mail_account_id.to_i}").count
if count > max
#logger.fatal("[INFO] Email.trim(user_id:#{user_id}, mail_account_id:#{mail_account_id}, max:#{max})")
over_num = count - max
Expand All @@ -639,7 +639,7 @@ def self.trim(user_id, mail_account_id, max)
# Now, remove others
if emails.length < over_num
over_num -= emails.length
emails += Email.where("mail_account_id=#{mail_account_id}").order('updated_at ASC').limit(over_num).to_a
emails += Email.where("mail_account_id=#{mail_account_id.to_i}").order('updated_at ASC').limit(over_num).to_a
end

emails.each do |email|
Expand Down Expand Up @@ -686,7 +686,7 @@ def self.trim_by_capacity(user_id, mail_account_id, capacity_mb)
#
# # Now, remove others
# if over_size > 0
# emails = Email.where("mail_account_id=#{mail_account_id}").order('updated_at ASC').to_a
# emails = Email.where("mail_account_id=#{mail_account_id.to_i}").order('updated_at ASC').to_a
# emails.each do |email|
# next if email.size.nil?
#
Expand Down Expand Up @@ -762,7 +762,7 @@ def self.destroy_by_user(user_id, add_con=nil)

SqlHelper.validate_token([user_id])

con = "user_id=#{user_id}"
con = "(user_id=#{user_id.to_i})"
con << " and (#{add_con})" unless add_con.nil? or add_con.empty?
emails = Email.where(con).to_a

Expand Down
14 changes: 7 additions & 7 deletions app/models/folder.rb
Expand Up @@ -240,18 +240,18 @@ def self.get_tree_by_group_for_admin(group_id)
if group_id.to_s == '0'
sql = 'select distinct * from folders'

where = " where (parent_id = #{tree_id})"
where << " and ((xtype is null) or not(xtype = '#{XTYPE_GROUP}' or xtype = '#{XTYPE_USER}'))"
where = " where (parent_id=#{tree_id.to_i})"
where << " and ((xtype is null) or not((xtype='#{XTYPE_GROUP}') or (xtype='#{XTYPE_USER}')))"

order_by = ' order by xorder ASC, id ASC'
else
sql = 'select distinct Folder.* from folders Folder, users User'

where = " where (Folder.parent_id = #{tree_id})"
where = " where (Folder.parent_id=#{tree_id.to_i})"
where << ' and ('
where << "(Folder.xtype = '#{XTYPE_GROUP}' and Folder.owner_id = #{group_id})"
where << "((Folder.xtype='#{XTYPE_GROUP}') and (Folder.owner_id=#{group_id.to_i}))"
where << ' or '
where << "(Folder.xtype = '#{XTYPE_USER}' and Folder.owner_id = User.id and #{SqlHelper.get_sql_like(['User.groups'], "|#{group_id}|")})"
where << "((Folder.xtype='#{XTYPE_USER}') and (Folder.owner_id=User.id) and #{SqlHelper.get_sql_like(['User.groups'], "|#{group_id}|")})"
where << ' )'

order_by = ' order by Folder.xorder ASC, Folder.id ASC'
Expand Down Expand Up @@ -324,7 +324,7 @@ def self.get_tree(folder_tree, conditions, parent, admin)
else
con << ' and '
end
con << "parent_id=#{tree_id}"
con << "parent_id=#{tree_id.to_i}"
folder_tree[tree_id] += Folder.where(con).order('xorder ASC, id ASC').to_a

delete_ary = []
Expand Down Expand Up @@ -668,7 +668,7 @@ def self.get_childs(folder_id, conditions, recursive, admin, ret_obj)
else
con << ' and '
end
con << "parent_id=#{folder_id}"
con << "parent_id=#{folder_id.to_i}"

unless admin
con << " and (xtype is null or not (xtype='#{Folder::XTYPE_SYSTEM}'))"
Expand Down
2 changes: 1 addition & 1 deletion app/models/group.rb
Expand Up @@ -376,7 +376,7 @@ def self.get_group_folder(group_id)

SqlHelper.validate_token([group_id])
begin
return Folder.where("(owner_id=#{group_id}) and (xtype='#{Folder::XTYPE_GROUP}')").first
return Folder.where("(owner_id=#{group_id.to_i}) and (xtype='#{Folder::XTYPE_GROUP}')").first
rescue => evar
Log.add_error(nil, evar)
return nil
Expand Down
2 changes: 1 addition & 1 deletion app/models/location.rb
Expand Up @@ -48,7 +48,7 @@ def self.get_for_group(group_id)
if group_id.nil?
con = 'group_id is null'
else
con = "group_id=#{group_id}"
con = "group_id=#{group_id.to_i}"
end

Location.do_expire(con)
Expand Down
6 changes: 3 additions & 3 deletions app/models/mail_account.rb
Expand Up @@ -72,7 +72,7 @@ def self.get_using_size(mail_account_id, add_con=nil)
SqlHelper.validate_token([mail_account_id])

con = []
con << "(mail_account_id=#{mail_account_id})"
con << "(mail_account_id=#{mail_account_id.to_i})"
con << "(#{add_con})" unless add_con.nil? or add_con.empty?

return (Email.count_by_sql("select SUM(size) from emails where #{con.join(' and ')}") || 0)
Expand Down Expand Up @@ -156,7 +156,7 @@ def self.destroy_by_user(user_id, add_con=nil)

SqlHelper.validate_token([user_id])

con = "user_id=#{user_id}"
con = "(user_id=#{user_id.to_i})"
con << " and (#{add_con})" unless add_con.nil? or add_con.empty?
mail_accounts = MailAccount.where(con).to_a

Expand Down Expand Up @@ -258,7 +258,7 @@ def self.get_default_for(user_id, xtype=nil)
SqlHelper.validate_token([user_id, xtype])

con = []
con << "(user_id=#{user_id})"
con << "(user_id=#{user_id.to_i})"
con << '(is_default=1)'
con << "(xtype='#{xtype}')" unless xtype.blank?

Expand Down
2 changes: 1 addition & 1 deletion app/models/mail_filter.rb
Expand Up @@ -67,7 +67,7 @@ def self.get_for(mail_account_id, enabled=nil, trigger=nil)
SqlHelper.validate_token([mail_account_id, trigger])

con = []
con << "(mail_account_id=#{mail_account_id})"
con << "(mail_account_id=#{mail_account_id.to_i})"
con << "(enabled=#{(enabled)?(1):(0)})" unless enabled.nil?
con << SqlHelper.get_sql_like([:triggers], "|#{trigger}|") unless trigger.nil?

Expand Down
8 changes: 5 additions & 3 deletions app/models/mail_folder.rb
Expand Up @@ -122,6 +122,8 @@ def self.sort_tree(folder_tree)
#
def self.get_condtions_for(user, mail_account_ids)

SqlHelper.validate_token([mail_account_ids])

if mail_account_ids.nil? or mail_account_ids.empty?
return "(user_id=#{user.id} and (mail_account_id is null))"
else
Expand Down Expand Up @@ -151,8 +153,8 @@ def self.get_for(user, mail_account_id, xtype)
SqlHelper.validate_token([user_id, mail_account_id, xtype])

con = []
con << "(user_id=#{user_id})"
con << "(mail_account_id=#{mail_account_id})"
con << "(user_id=#{user_id.to_i})"
con << "(mail_account_id=#{mail_account_id.to_i})"
con << "(xtype='#{xtype}')"

return MailFolder.where(con.join(' and ')).first
Expand All @@ -178,7 +180,7 @@ def self.get_account_roots_for(user)
SqlHelper.validate_token([user_id])

con = []
con << "(user_id=#{user_id})"
con << "(user_id=#{user_id.to_i})"
con << "(xtype='#{MailFolder::XTYPE_ACCOUNT_ROOT}')"

order_by = 'xorder ASC, id ASC'
Expand Down
4 changes: 2 additions & 2 deletions app/models/office_map.rb
Expand Up @@ -37,10 +37,10 @@ def self.get_for_group(group_id, incl_img_content=false)
office_map = nil
else
if incl_img_content
office_map = OfficeMap.where("group_id=#{group_id}").first
office_map = OfficeMap.where("group_id=#{group_id.to_i}").first
else
sql = 'select id, group_id, img_enabled, img_name, img_size, img_content_type, created_at, updated_at from office_maps'
sql << " where group_id=#{group_id}"
sql << " where group_id=#{group_id.to_i}"
begin
office_map = OfficeMap.find_by_sql(sql).first
rescue
Expand Down
2 changes: 1 addition & 1 deletion app/models/official_title.rb
Expand Up @@ -70,7 +70,7 @@ def self.get_for(group_id, include_parents=false, enabled=nil)

con << '(' + group_con + ')'
else
con << "(group_id=#{group_id})"
con << "(group_id=#{group_id.to_i})"
end

order_by = 'order by xorder ASC, id ASC'
Expand Down
10 changes: 5 additions & 5 deletions app/models/paid_holiday.rb
Expand Up @@ -34,11 +34,11 @@ def self.get_for(user_id, fiscal_year=nil)

begin
con = []
con << "(user_id=#{user_id})"
con << "(user_id=#{user_id.to_i})"
if fiscal_year.nil?
return PaidHoliday.where(con).order('year ASC').to_a
else
con << "(year=#{fiscal_year})"
con << "(year=#{fiscal_year.to_i})"
return PaidHoliday.where(con.join(' and ')).first
end
rescue
Expand All @@ -61,8 +61,8 @@ def self.update_for(user_id, fiscal_year, num)

if num <= 0
con = []
con << "(user_id=#{user_id})"
con << "(year=#{fiscal_year})"
con << "(user_id=#{user_id.to_i})"
con << "(year=#{fiscal_year.to_i})"
PaidHoliday.destroy_all(con.join(' and '))
return
end
Expand Down Expand Up @@ -100,7 +100,7 @@ def self.get_carried_over(user_id, year)
return 0 if paidhld_carry_over.nil? or paidhld_carry_over.empty? or paidhld_carry_over == PaidHoliday::CARRY_OVER_NONE

begin
con = "(user_id=#{user_id}) and (year < #{year})"
con = "(user_id=#{user_id.to_i}) and (year < #{year.to_i})"
paidhlds = PaidHoliday.where(con).order('year ASC').to_a
rescue
end
Expand Down

0 comments on commit 1b82347

Please sign in to comment.