discourse/watched_word_group_fabricator.rb at e2f3474bc3b60e7256cb78666db2289bd9318222 - discourse - Git Repository of IntenseWebs.com, IF.Finance, IWeb.City, NuKVM.org, OilfieldTools Network, Spartan International Drilling, Green Polymer Products & more

IntenseWebs/discourse

mirror of https://github.com/discourse/discourse.git synced 2024-11-25 10:20:58 -06:00

Vinoth Kannan 7b53e610c1

SECURITY: limit the number of characters in watched word replacements.

The watch words controller creation function, create_or_update_word(), doesn’t validate the size of the replacement parameter, unlike the word parameter, when creating a replace watched word. So anyone with moderator privileges can create watched words with almost unlimited characters.

2024-07-15 19:25:17 +08:00

7 lines

160 B

Ruby

Raw Blame History

 # frozen_string_literal: true
 Fabricator(:watched_word_group) do
   action WatchedWord.actions[:block]
   watched_words { [Fabricate.build(:watched_word)] }
 end