IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-25 02:11:08 -06:00
Code Issues Packages Projects Releases Wiki Activity
bfc3132bb2
discourse/spec
History
Alan Guo Xiang Tan bfc3132bb2
SECURITY: Impose a upper bound on limit params in various controllers 
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:53:46 +01:00
..
fabricators FIX: Keep ReviewableQueuedPosts even with user delete reviewable actions (#22501) 2023-07-18 11:50:31 +00:00
fixtures DEV: Fix flaky core backend spec (#22650) 2023-07-18 07:01:19 +08:00
helpers DEV: Replace #pluck_first freedom patch with AR #pick in core (#19893) 2023-02-13 12:39:45 +08:00
import_export DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00
initializers DEV: Fix test (#22018) 2023-06-08 16:12:13 -05:00
integration DEV: Update the rubocop-discourse gem 2023-06-26 11:41:52 +02:00
integrity DEV: Update TranslateAccelerator missing translation string (#22158) 2023-06-16 15:28:03 +01:00
jobs DEV: spec hanging in CI (#22679) 2023-07-19 09:01:30 +08:00
lib SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
mailers FIX: Order tags shown in email subject by topics count and name (#22586) 2023-07-13 15:39:58 +08:00
models SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
multisite DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
requests SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
script/import_scripts DEV: Fix flaky core backend spec (#22650) 2023-07-18 07:01:19 +08:00
serializers SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
services FEATURE: Regenerate outdated summaries. (#22718) 2023-07-20 15:25:46 -03:00
support DEV: Update minitest to 5.19.0 (#22821) 2023-07-27 12:18:40 +02:00
system FIX: Managing sidebar custom sections not working on subfolder (#22773) 2023-07-25 13:57:49 +08:00
tasks DEV: Capture output in hashtags spec (#20773) 2023-03-23 11:47:14 +10:00
views DEV: Fix random typos (#22078) 2023-06-13 22:02:21 +02:00
rails_helper.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Apply syntax_tree formatting to spec/* 2023-01-09 11:49:28 +00:00