discourse/spec/models
Robin Ward 1d38040579 SECURITY: SQL injection with default categories
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.

The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
2019-07-11 13:41:51 -04:00
..
about_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
admin_dashboard_problem_spec.rb DEV: introduce new API to look up dynamic site setting 2019-05-07 11:00:30 +10:00
api_key_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
application_request_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
badge_spec.rb FEATURE: English locale with international date formats 2019-05-20 13:47:20 +02:00
badge_type_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
category_featured_topic_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
category_group_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
category_list_spec.rb PERF: speed up spec suite, avoid featuring topics 2019-05-10 11:37:53 +10:00
category_spec.rb FIX: do not include uncategorized_category_id in topic_create_allowed if posting in uncategorized is disabled 2019-06-26 17:41:07 +10:00
category_user_spec.rb FIX: CategoryUser#batch_set (#7787) 2019-06-25 12:13:27 +10:00
child_theme_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
color_scheme_color_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
color_scheme_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
developer_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
digest_email_site_setting_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
directory_item_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
discourse_single_sign_on_spec.rb FEATURE: ban any SSO attempts with invalid external id 2019-06-11 10:04:26 +10:00
draft_sequence_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
draft_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
email_change_request_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
email_log_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
email_token_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
embeddable_host_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
emoji_spec.rb FIX: provides an emoji helper to replace codes by images (#7802) 2019-06-26 15:11:04 +02:00
given_daily_like_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
global_setting_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
group_history_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
group_spec.rb FEATURE: Add new group visibility option for "logged on users" (#7814) 2019-07-08 15:09:50 -04:00
group_user_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
incoming_link_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
incoming_links_report_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
invite_redeemer_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
invite_spec.rb DEV: Enable invite_spec test again 2019-05-16 18:55:36 -03:00
javascript_cache_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
locale_site_setting_spec.rb DEV: clean up potential locale leak 2019-06-03 12:42:29 +10:00
mailing_list_mode_site_setting_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
notification_spec.rb More prefabrication 2019-05-10 08:34:04 -04:00
optimized_image_spec.rb DEV: Remove use of fake external store in optimized images spec. 2019-05-29 20:13:23 +08:00
permalink_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
plugin_store_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
post_action_spec.rb Marked flaky test 2019-07-09 10:45:11 +01:00
post_action_type_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
post_analyzer_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
post_detail_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
post_mover_spec.rb FEATURE: Preserve notifications levels when splitting topics. (#7494) 2019-05-15 17:29:29 +10:00
post_reply_key_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
post_reply_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
post_spec.rb FEATURE: Add "Group owners" to posting options for groups 2019-07-08 17:14:11 -04:00
post_timing_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
post_upload_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
quoted_post_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
remote_theme_spec.rb DEV: Update specs for new stylesheet location 2019-05-31 16:15:08 +01:00
report_spec.rb FIX: Do not show self edits in Post Edits report. (#7510) 2019-05-09 20:39:17 +03:00
reviewable_claimed_topic_spec.rb Make rubocop happy. 2019-05-13 09:55:44 +08:00
reviewable_flagged_post_spec.rb FIX: Category topics should not be deletable via review queue 2019-05-30 16:43:23 -04:00
reviewable_history_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
reviewable_queued_post_spec.rb Migrate score settings to use sensitivities 2019-05-24 15:44:24 -04:00
reviewable_score_spec.rb FIX: Only include pending/agreed scores in the total score 2019-06-26 11:21:35 -04:00
reviewable_spec.rb FEATURE: Can sort reviewable queue 2019-06-05 13:21:05 -04:00
reviewable_user_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
s3_region_site_setting_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
screened_email_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
screened_ip_address_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
screened_url_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
search_log_spec.rb Time variable used to be created with users timezone, it has to be UTC in order to pass the test 2019-05-07 08:43:38 -04:00
site_setting_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
site_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
skipped_email_log_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
stylesheet_cache_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
tag_group_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
tag_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
tag_user_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
theme_field_spec.rb FEATURE: Multi-file javascript support for themes (#7526) 2019-06-03 10:41:00 +01:00
theme_spec.rb FEATURE: allow disabling theme components (#7812) 2019-07-03 18:18:11 +10:00
top_menu_item_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
top_topic_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_allowed_user_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
topic_converter_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_embed_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_featured_users_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
topic_invite_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
topic_link_click_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_link_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_list_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_participants_summary_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_posters_summary_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_spec.rb FEATURE: opt-in guidance on topics for users without access (#7852) 2019-07-04 10:12:39 +02:00
topic_tag_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_timer_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_tracking_state_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_user_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
topic_view_item_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
translation_override_spec.rb FEATURE: English locale with international date formats 2019-05-20 13:47:20 +02:00
trust_level3_requirements_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
unsubscribe_key_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
upload_spec.rb FIX: Upload#short_url generates incorrect URL when extension is nil. 2019-06-19 09:10:50 +08:00
user_action_spec.rb Fix broken spec in 405ba00c08. 2019-05-08 15:45:25 +08:00
user_api_key_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_archived_message_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_auth_token_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
user_avatar_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
user_badge_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
user_email_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_export_spec.rb FIX: delete system generated message when user_export record is deleted (#7595) 2019-05-28 16:38:41 +05:30
user_field_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_history_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
user_open_id_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_option_spec.rb FEATURE: add support for defer topic functionality 2019-05-31 15:44:35 +10:00
user_profile_spec.rb Revert "FIX: Add missing unique index on user_id for user_profiles." 2019-05-24 12:58:36 +08:00
user_profile_view_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
user_search_spec.rb Support multi-group user search 2019-05-30 08:45:20 +08:00
user_second_factor_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_spec.rb SECURITY: SQL injection with default categories 2019-07-11 13:41:51 -04:00
user_stat_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
user_summary_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
user_visit_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00
username_validator_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
watched_word_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
web_crawler_request_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
web_hook_event_spec.rb DEV: use #frozen_string_literal: true on all spec 2019-04-30 10:27:42 +10:00
web_hook_spec.rb DEV: Prefabrication (test optimization) (#7414) 2019-05-07 13:12:20 +10:00