Avoid redirects with unprotected query params
In theory it's possible to add a `host` parameter to a URL, and we could end up redirecting to that host if we just redirect using query parameters. Generating the path using `url_for` with `only_path` solves the issue. Note in the tests I'm using the `get` method because the `patch` method wouldn't send query parameters. This doesn't mean the action can be accessed through GET requests, since controller tests don't check route verbs. Using feature specs doesn't seem to work because `controller` and `host` parameters are filtered automatically in feature specs. Also note I'm not testing every hidden/moderation controller because they basically use the same code.
This commit is contained in:
Javi Martín
15
spec/controllers/moderation/users_controller_spec.rb
Normal file
15
spec/controllers/moderation/users_controller_spec.rb
Normal file
@@ -0,0 +1,15 @@
|
||||
require "rails_helper"
|
||||
|
||||
describe Moderation::UsersController do
|
||||
before { sign_in create(:moderator).user }
|
||||
|
||||
describe "PUT hide_in_moderation_screen" do
|
||||
it "keeps query parameters while using protected redirects" do
|
||||
user = create(:user, email: "user@consul.dev")
|
||||
|
||||
get :hide_in_moderation_screen, params: { id: user, name_or_email: "user@consul.dev", host: "evil.dev" }
|
||||
|
||||
expect(response).to redirect_to "/moderation/users?name_or_email=user%40consul.dev"
|
||||
end
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user