team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

this fixes issue #20, seriously, no clue how I missed the missing constantize code

Browse Source
This commit is contained in:
Ken Johnson
2013-06-06 16:43:58 -04:00
parent 215bc8614c
commit d445e59a98
2 changed files with 32 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/benefit_forms_controller.rb
+14 -6
View File
@@ -2,31 +2,39 @@ class BenefitFormsController < ApplicationController
def index def index
end end
def download def download
begin begin
file = Rails.root.join('public', 'docs', params[:name]) path = Rails.root.join('public', 'docs', params[:name])
file = params[:type].constantize.new(path)
send_file file, :disposition => 'attachment' send_file file, :disposition => 'attachment'
rescue rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id) redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end end
end end
=begin =begin
# More secure version # More secure version
def download def download
file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"} file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
begin begin
if file_assoc.has_key?(params[:name].to_s) if file_assoc.has_key?(params[:name].to_s)
file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s]) path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
send_file file, :disposition => 'attachment' if params[:type] == "File"
file = params[:type].constantize.new(path)
send_file file, :disposition => 'attachment'
end
else else
file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf") file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
send_file file, :disposition => 'attachment'
end end
rescue rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id) redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end end
end end
=end =end
end end
app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb
+18 -13
View File
@@ -37,16 +37,17 @@
</p> </p>
<pre class="ruby"> <pre class="ruby">
def download def download
begin begin
file = Rails.root.join('public', 'docs', params[:name]) <span style="background-color:yellow">path = Rails.root.join('public', 'docs', params[:name])</span>
send_file file, :disposition => 'attachment' <span style="background-color:yellow">file = params[:type].constantize.new(path)</span>
rescue send_file file, :disposition => 'attachment'
redirect_to user_benefit_forms_path(:user_id => current_user.user_id) rescue
end redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end end
end
</pre> </pre>
<p class="desc"> <p class="desc">
The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved. The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved. Additionally, the params[:type] (File) is not validated to make sure it matches up with expected values.
</p> </p>
</div> </div>
</div> </div>
@@ -85,15 +86,19 @@
In this instance and as always, there are multiple ways to fix this. A simple method to secure this function by validating user input is as follows: In this instance and as always, there are multiple ways to fix this. A simple method to secure this function by validating user input is as follows:
</p> </p>
<pre class="ruby"> <pre class="ruby">
# More secure version # More secure version
def download def download
file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"} <span style="background-color:yellow">file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}</span>
begin begin
if file_assoc.has_key?(params[:name].to_s) <span style="background-color:yellow">if file_assoc.has_key?(params[:name].to_s)</span>
file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s]) path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
send_file file, :disposition => 'attachment' <span style="background-color:yellow">if params[:type] == "File"</span>
file = params[:type].constantize.new(path)
send_file file, :disposition => 'attachment'
end
else else
file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf") file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
send_file file, :disposition => 'attachment'
end end
rescue rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id) redirect_to user_benefit_forms_path(:user_id => current_user.user_id)