team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

this fixes issue #20, seriously, no clue how I missed the missing constantize code

Browse Source
This commit is contained in:
Ken Johnson
2013-06-06 16:43:58 -04:00
parent 215bc8614c
commit d445e59a98
2 changed files with 32 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/benefit_forms_controller.rb
+14 -6
View File
@@ -2,31 +2,39 @@ class BenefitFormsController < ApplicationController
def index
end
def download
begin
file = Rails.root.join('public', 'docs', params[:name])
path = Rails.root.join('public', 'docs', params[:name])
file = params[:type].constantize.new(path)
send_file file, :disposition => 'attachment'
rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end
end
=begin
=begin
# More secure version
def download
file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
begin
if file_assoc.has_key?(params[:name].to_s)
file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
send_file file, :disposition => 'attachment'
path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
if params[:type] == "File"
file = params[:type].constantize.new(path)
send_file file, :disposition => 'attachment'
end
else
file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
send_file file, :disposition => 'attachment'
end
rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end
end
=end
=end
end
app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb
+18 -13
View File
@@ -37,16 +37,17 @@
</p>
<pre class="ruby">
def download
begin
file = Rails.root.join('public', 'docs', params[:name])
send_file file, :disposition => 'attachment'
rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end
end
begin
<span style="background-color:yellow">path = Rails.root.join('public', 'docs', params[:name])</span>
<span style="background-color:yellow">file = params[:type].constantize.new(path)</span>
send_file file, :disposition => 'attachment'
rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
end
end
</pre>
<p class="desc">
The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved.
The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved. Additionally, the params[:type] (File) is not validated to make sure it matches up with expected values.
</p>
</div>
</div>
@@ -85,15 +86,19 @@
In this instance and as always, there are multiple ways to fix this. A simple method to secure this function by validating user input is as follows:
</p>
<pre class="ruby">
# More secure version
# More secure version
def download
file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
<span style="background-color:yellow">file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}</span>
begin
if file_assoc.has_key?(params[:name].to_s)
file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
send_file file, :disposition => 'attachment'
<span style="background-color:yellow">if file_assoc.has_key?(params[:name].to_s)</span>
path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
<span style="background-color:yellow">if params[:type] == "File"</span>
file = params[:type].constantize.new(path)
send_file file, :disposition => 'attachment'
end
else
file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
send_file file, :disposition => 'attachment'
end
rescue
redirect_to user_benefit_forms_path(:user_id => current_user.user_id)