Reinforcement of security.

Signed-off-by: MORITA Shintaro <shin@sysphonic.com>
sysphonic · Jul 7, 2015 · ce535a3 · ce535a3
1 parent 4ca3f5f
commit ce535a3
Show file tree

Hide file tree

Showing 29 changed files with 148 additions and 63 deletions.
diff --git a/app/controllers/desktop_controller.rb b/app/controllers/desktop_controller.rb
@@ -91,7 +91,7 @@ def edit_timecard
 
     date_s = params[:date]
 
-    if date_s.nil? or date_s.empty?
+    if date_s.blank?
       @date = Date.today
       date_s = @date.strftime(Schedule::SYS_DATE_FORM)
     else

diff --git a/app/controllers/items_controller.rb b/app/controllers/items_controller.rb
@@ -1272,9 +1272,10 @@ def team_organize
       end
 
       users = @team.get_users_a
-    end 
+    end
 
     team_members = params[:team_members]
+    SqlHelper.validate_token([team_members])
 
     created = false
     modified = false
@@ -1305,9 +1306,9 @@ def team_organize
           @team.clear_users
         end
 
-        @team.add_users team_members
+        @team.add_users(team_members)
         @team.save
-        @team.remove_application team_members
+        @team.remove_application(team_members)
 
         modified = true 
       end

diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb
@@ -97,7 +97,7 @@ def send_password
     Log.add_info(request, params.inspect)
 
     mail_addr = params[:thetisBoxEdit]
-    SqlHelper.validate_token([mail_addr], ['@-'])
+    SqlHelper.validate_token([mail_addr])
     begin
       users = User.where("email='#{mail_addr}'").to_a
     rescue => evar

diff --git a/app/controllers/mail_folders_controller.rb b/app/controllers/mail_folders_controller.rb
@@ -32,9 +32,9 @@ def show_tree
     con << "(user_id=#{@login_user.id})"
 
     account_xtype = params[:mail_account_xtype]
+    SqlHelper.validate_token([account_xtype])
 
     unless account_xtype.blank?
-      SqlHelper.validate_token([account_xtype])
       con << "(xtype='#{account_xtype}')"
     end
     @mail_accounts = MailAccount.find_all(con.join(' and '))

diff --git a/app/controllers/timecards_controller.rb b/app/controllers/timecards_controller.rb
@@ -120,7 +120,7 @@ def edit
 
     date_s = params[:date]
 
-    if date_s.nil? or date_s.empty?
+    if date_s.blank?
       @date = Date.today
       date_s = @date.strftime(Schedule::SYS_DATE_FORM)
     else

diff --git a/app/controllers/zeptair_post_controller.rb b/app/controllers/zeptair_post_controller.rb
@@ -81,33 +81,35 @@ def query
 
     target_user = nil
 
-    SqlHelper.validate_token([params[:user_id], params[:zeptair_id], params[:group_id]])
+    user_id = params[:user_id]
+    zeptair_id = params[:zeptair_id]
+    group_id = params[:group_id]
+    SqlHelper.validate_token([user_id, zeptair_id, group_id])
 
-    unless params[:user_id].blank?
-      target_user = User.find(params[:user_id])
+    unless user_id.blank?
+      target_user = User.find(user_id)
     end
 
-    unless params[:zeptair_id].blank?
-      zeptair_id = params[:zeptair_id]
+    unless zeptair_id.blank?
       target_user = User.where("zeptair_id=#{zeptair_id}").first
     end
 
     if target_user.nil?
 
-      if params[:group_id].blank?
+      if group_id.blank?
         sql = 'select distinct Item.* from items Item, attachments Attachment'
         sql << " where Item.xtype='#{Item::XTYPE_ZEPTAIR_POST}' and Item.id=Attachment.item_id"
         sql << ' order by Item.user_id ASC'
       else
-        group_ids = [params[:group_id]]
+        group_ids = [group_id]
 
         if params[:recursive] == 'true'
-          group_ids += Group.get_childs(params[:group_id], true, false)
+          group_ids += Group.get_childs(group_id, true, false)
         end
 
         groups_con = []
-        group_ids.each do |group_id|
-          groups_con << SqlHelper.get_sql_like(['User.groups'], "|#{@group_id}|")
+        group_ids.each do |grp_id|
+          groups_con << SqlHelper.get_sql_like(['User.groups'], "|#{grp_id}|")
         end
         sql = 'select distinct Item.* from items Item, attachments Attachment, users User'
         sql << " where Item.xtype='#{Item::XTYPE_ZEPTAIR_POST}' and Item.id=Attachment.item_id"
@@ -134,23 +136,28 @@ def delete_attachment
 
     target_user = nil
 
-    unless params[:user_id].blank?
-      if @login_user.admin?(User::AUTH_ZEPTAIR) or @login_user.id.to_s == params[:user_id].to_s
-        target_user = User.find(params[:user_id])
+    user_id = params[:user_id]
+    zeptair_id = params[:zeptair_id]
+    attachment_id = params[:attachment_id]
+    SqlHelper.validate_token([user_id, zeptair_id, attachment_id])
+
+    unless user_id.blank?
+      if @login_user.admin?(User::AUTH_ZEPTAIR) or @login_user.id.to_s == user_id.to_s
+        target_user = User.find(user_id)
       end
     end
 
-    unless params[:zeptair_id].blank?
+    unless zeptair_id.blank?
 
-      target_user = User.where("zeptair_id=#{params[:zeptair_id]}").first
+      target_user = User.where("zeptair_id=#{zeptair_id}").first
 
       unless @login_user.admin?(User::AUTH_ZEPTAIR) or @login_user.id == target_user.id
         target_user = nil
       end
     end
 
     if target_user.nil?
-      if params[:attachment_id].blank?
+      if attachment_id.blank?
 
         query
         unless @post_items.nil?
@@ -163,7 +170,7 @@ def delete_attachment
         end
 
       else
-        attach = Attachment.find(params[:attachment_id])
+        attach = Attachment.find(attachment_id)
 
         item = Item.find(attach.item_id)
 

diff --git a/app/helpers/items_helper.rb b/app/helpers/items_helper.rb
@@ -24,6 +24,9 @@ module ItemsHelper
   #return:: Next revision number.
   #
   def self.get_next_revision(user_id, source_id)
+
+    SqlHelper.validate_token([user_id, source_id])
+
     copied_items = Item.where("user_id=#{user_id} and source_id=#{source_id}").order('created_at DESC').to_a
 
     rev = 0
@@ -35,7 +38,7 @@ def self.get_next_revision(user_id, source_id)
       break
     end
 
-    return '#' + sprintf('%03d', rev+1)
+    return ('#' + sprintf('%03d', rev+1))
   end
 
   #=== self.get_copies_folder

diff --git a/app/helpers/sql_helper.rb b/app/helpers/sql_helper.rb
@@ -25,8 +25,12 @@ module SqlHelper
   #
   def self.validate_token(tokens, extra_chars=nil)
 
-    extra_chars = Regexp.escape((extra_chars || []).join())
-    regexp = Regexp.new("^[ ]*[a-zA-Z0-9_.#{extra_chars}]+[ ]*$")
+    if extra_chars.nil?
+      extra_chars = ''
+    else
+      extra_chars = Regexp.escape(extra_chars.join())
+    end
+    regexp = Regexp.new("^[ ]*[a-zA-Z0-9_.@\\-#{extra_chars}]+[ ]*$")
 
     [tokens].flatten.each do |token|
       next if token.blank?

diff --git a/app/helpers/templates_helper.rb b/app/helpers/templates_helper.rb
@@ -166,6 +166,8 @@ def self.get_tmpl_folder
   #
   def self.get_tmpl_subfolder(name)
 
+    SqlHelper.validate_token([name])
+
     tmpl_folder = Folder.where("folders.name='#{TMPL_ROOT}'").first
 
     unless tmpl_folder.nil?
@@ -179,5 +181,4 @@ def self.get_tmpl_subfolder(name)
 
     return [tmpl_folder, child]
   end
-
 end
diff --git a/app/helpers/tree_element.rb b/app/helpers/tree_element.rb
@@ -78,6 +78,8 @@ def get_parents(ret_obj, cache=nil)
   #
   def self.get_childs(klass, node_id, recursive, ret_obj)
 
+    SqlHelper.validate_token([node_id])
+
     array = []
 
     if recursive
@@ -131,6 +133,7 @@ def get_childs(recursive, ret_obj)
   #
   def self.get_tree(klass, tree, conditions, node_id, order_by)
 
+    SqlHelper.validate_token([node_id])
     if conditions.nil?
       con = ''
     else

diff --git a/app/helpers/zeptair_dist_helper.rb b/app/helpers/zeptair_dist_helper.rb
@@ -61,6 +61,7 @@ def self.get_ack_entry_for(target)
   #
   def self.get_comment_of(item_id, user_id)
 
+    SqlHelper.validate_token([item_id, user_id])
     begin
       comment = Comment.where("(user_id=#{user_id}) and (item_id=#{item_id}) and (xtype='#{Comment::XTYPE_DIST_ACK}')").first
     rescue => evar
@@ -143,6 +144,7 @@ def self.completed_ack_message(item_id)
   #return:: The number of ACK messages to the specified Distribution Item.
   #
   def self.count_ack_users(item_id)
+    SqlHelper.validate_token([item_id])
     return Comment.where("(item_id=#{item_id}) and (xtype='#{Comment::XTYPE_DIST_ACK}')").count
   end
 
@@ -154,6 +156,7 @@ def self.count_ack_users(item_id)
   #return:: The number of completed users of the specified Distribution Item.
   #
   def self.count_completed_users(item_id)
+    SqlHelper.validate_token([item_id])
     ack_msg = ZeptairDistHelper.completed_ack_message(item_id)
     return Comment.where("(item_id=#{item_id}) and (xtype='#{Comment::XTYPE_DIST_ACK}') and (message='#{ack_msg}')").count
   end

diff --git a/app/models/address.rb b/app/models/address.rb
@@ -36,6 +36,8 @@ class Address < ActiveRecord::Base
   #
   def self.get_by_email(mail_addr, user, book=Address::BOOK_BOTH)
 
+    SqlHelper.validate_token([mail_addr])
+
     email_con = []
     email_con.push("(email1='#{mail_addr}')")
     email_con.push("(email2='#{mail_addr}')")

diff --git a/app/models/email.rb b/app/models/email.rb
@@ -618,6 +618,9 @@ def get_dir
   #_max_:: Max number.
   #
   def self.trim(user_id, mail_account_id, max)
+
+    SqlHelper.validate_token([user_id, mail_account_id])
+
     begin
       count = Email.where("mail_account_id=#{mail_account_id}").count
       if count > max
@@ -757,6 +760,8 @@ def self.destroy(id)
   #
   def self.destroy_by_user(user_id, add_con=nil)
 
+    SqlHelper.validate_token([user_id])
+
     con = "user_id=#{user_id}"
     con << " and (#{add_con})" unless add_con.nil? or add_con.empty?
     emails = Email.where(con).to_a

diff --git a/app/models/folder.rb b/app/models/folder.rb
@@ -641,6 +641,7 @@ def self.get_childs_for(user, folder_id, recursive, admin, ret_obj)
   #
   def self.get_childs(folder_id, conditions, recursive, admin, ret_obj)
 
+    SqlHelper.validate_token([folder_id])
     arr = []
 
     if recursive

diff --git a/app/models/group.rb b/app/models/group.rb
@@ -374,6 +374,7 @@ def get_group_folder
   #
   def self.get_group_folder(group_id)
 
+    SqlHelper.validate_token([group_id])
     begin
       return Folder.where("(owner_id=#{group_id}) and (xtype='#{Folder::XTYPE_GROUP}')").first
     rescue => evar

diff --git a/app/models/location.rb b/app/models/location.rb
@@ -44,6 +44,7 @@ def self.get_for(user)
   #
   def self.get_for_group(group_id)
 
+    SqlHelper.validate_token([group_id])
     if group_id.nil?
       con = 'group_id is null'
     else

diff --git a/app/models/mail_account.rb b/app/models/mail_account.rb
@@ -154,6 +154,8 @@ def need_pop?(uid)
   #
   def self.destroy_by_user(user_id, add_con=nil)
 
+    SqlHelper.validate_token([user_id])
+
     con = "user_id=#{user_id}"
     con << " and (#{add_con})" unless add_con.nil? or add_con.empty?
     mail_accounts = MailAccount.where(con).to_a
@@ -265,12 +267,12 @@ def self.get_default_for(user_id, xtype=nil)
       where = 'where ' + con.join(' and ')
     end
 
-    account_ary = MailAccount.find_by_sql('select * from mail_accounts ' + where + ' order by xorder ASC, title ASC')
+    mail_accounts = MailAccount.find_by_sql('select * from mail_accounts ' + where + ' order by xorder ASC, title ASC')
 
-    if account_ary.nil? or account_ary.empty?
+    if mail_accounts.nil? or mail_accounts.empty?
       return nil
     else
-      return account_ary.first
+      return mail_accounts.first
     end
   end
 end
diff --git a/app/models/mail_folder.rb b/app/models/mail_folder.rb
@@ -148,6 +148,8 @@ def self.get_for(user, mail_account_id, xtype)
       user_id = user.to_s
     end
 
+    SqlHelper.validate_token([user_id, mail_account_id, xtype])
+
     con = []
     con << "(user_id=#{user_id})"
     con << "(mail_account_id=#{mail_account_id})"
@@ -173,6 +175,8 @@ def self.get_account_roots_for(user)
       user_id = user.to_s
     end
 
+    SqlHelper.validate_token([user_id])
+
     con = []
     con << "(user_id=#{user_id})"
     con << "(xtype='#{MailFolder::XTYPE_ACCOUNT_ROOT}')"

diff --git a/app/models/paid_holiday.rb b/app/models/paid_holiday.rb
@@ -29,6 +29,9 @@ class PaidHoliday < ActiveRecord::Base
   #return:: PaidHoliday(s) for the specified User.
   #
   def self.get_for(user_id, fiscal_year=nil)
+
+    SqlHelper.validate_token([user_id, fiscal_year])
+
     begin
       con = []
       con << "(user_id=#{user_id})"
@@ -54,8 +57,13 @@ def self.get_for(user_id, fiscal_year=nil)
   #
   def self.update_for(user_id, fiscal_year, num)
 
+    SqlHelper.validate_token([user_id, fiscal_year])
+
     if num <= 0
-      PaidHoliday.destroy_all(['user_id=? and year=?', user_id, fiscal_year])
+      con = []
+      con << "(user_id=#{user_id})"
+      con << "(year=#{fiscal_year})"
+      PaidHoliday.destroy_all(con.join(' and '))
       return
     end
 
@@ -82,6 +90,8 @@ def self.update_for(user_id, fiscal_year, num)
   #
   def self.get_carried_over(user_id, year)
 
+    SqlHelper.validate_token([user_id, year])
+
     yaml = ApplicationHelper.get_config_yaml
     unless yaml[:timecard].nil?
       paidhld_carry_over = yaml[:timecard]['paidhld_carry_over']
@@ -134,5 +144,4 @@ def self.get_carried_over(user_id, year)
       return 0
     end
   end
-
 end
diff --git a/app/models/research.rb b/app/models/research.rb
@@ -356,6 +356,8 @@ def self.get_status
   #
   def self.get_for(user_id)
 
+    SqlHelper.validate_token([user_id])
+
     return Research.where("user_id=#{user_id}").first
   end
-Original file line number
+Diff line change
@@ Expand Up / @@ -356,6 +356,8 @@ def self.get_status @@
       #
       def self.get_for(user_id)
+        SqlHelper.validate_token([user_id])
         return Research.where("user_id=#{user_id}").first
       end
@@ Expand Down @@