From c0e987e0d48e758a8cc8c6b5e211332c97ffdc7e Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Fri, 27 Sep 2013 16:43:43 +0100 Subject: [PATCH] fixes #3160 - sanitize host/host group names in lookup_value associations (CVE-2013-XXXX) --- app/models/concerns/host_common.rb | 2 +- test/fixtures/lookup_keys.yml | 2 +- test/unit/hostgroup_test.rb | 16 +++++++++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/app/models/concerns/host_common.rb b/app/models/concerns/host_common.rb index fefa06c..9875022 100644 --- a/app/models/concerns/host_common.rb +++ b/app/models/concerns/host_common.rb @@ -17,7 +17,7 @@ module HostCommon belongs_to :subnet before_save :check_puppet_ca_proxy_is_required? - has_many :lookup_values, :finder_sql => Proc.new { %Q{ SELECT lookup_values.* FROM lookup_values WHERE (lookup_values.match = '#{lookup_value_match}') } }, :dependent => :destroy + has_many :lookup_values, :finder_sql => Proc.new { LookupValue.where('lookup_values.match' => lookup_value_match).to_sql }, :dependent => :destroy # See "def lookup_values_attributes=" under, for the implementation of accepts_nested_attributes_for :lookup_values accepts_nested_attributes_for :lookup_values # Replacement of accepts_nested_attributes_for :lookup_values, diff --git a/test/fixtures/lookup_keys.yml b/test/fixtures/lookup_keys.yml index f6dedce..d4483b8 100644 --- a/test/fixtures/lookup_keys.yml +++ b/test/fixtures/lookup_keys.yml @@ -9,7 +9,7 @@ one: two: key: ssl_port - key_type: integer + key_type: string validator_type: list validator_rule: '443,8443' puppetclass: one diff --git a/test/unit/hostgroup_test.rb b/test/unit/hostgroup_test.rb index 762b6dd..ed6701b 100644 --- a/test/unit/hostgroup_test.rb +++ b/test/unit/hostgroup_test.rb @@ -176,4 +176,18 @@ class HostgroupTest < ActiveSupport::TestCase assert_equal "db", hostgroup.label end -end \ No newline at end of file + test "should find associated lookup_values" do + assert_equal [lookup_values(:hostgroupcommon), lookup_values(:four)], hostgroups(:common).lookup_values.sort + end + + test "should find associated lookup_values with unsafe SQL name" do + hostgroup = hostgroups(:common) + hostgroup.name = "Robert';" + hostgroup.save! + lv = lookup_values(:four) + lv.match = "hostgroup=#{hostgroup.name}" + lv.save! + assert_equal [lookup_values(:four)], hostgroup.lookup_values + end + +end -- 1.8.3.1