team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added fix for Analytics SQLi

Browse Source
This commit is contained in:
John Poulin
2014-04-08 18:04:49 -04:00
committed by cktricky
parent 196b732b91
commit 5bb9c75f06
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin_controller.rb
+2 -2
View File
@@ -7,11 +7,11 @@ class AdminController < ApplicationController
end end
def analytics def analytics
if params[:field].nil? if params[:field].nil?
fields = "*" fields = "*"
else else
fields = params[:field].map {|k,v| k}.join(",") #fields = params[:field].map {|k,v| k }.join(",")
fields = params[:field].map {|k,v| Analytics.parse_field(k) }.join(",")
end end
if params[:ip] if params[:ip]
app/models/analytics.rb
+11 -1
View File
@@ -1,9 +1,19 @@
class Analytics < ActiveRecord::Base class Analytics < ActiveRecord::Base
attr_accessible :ip_address, :referrer, :user_agent attr_accessible :ip_address, :referrer, :user_agent
scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where("ip_address = '#{ip}'")} scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}
def self.count_by_col(col) def self.count_by_col(col)
calculate(:count, col) calculate(:count, col)
end end
def self.parse_field(field)
valid_fields = ["ip_address", "referrer", "user_agent"]
if valid_fields.include?(field)
field
else
"1"
end
end
end end