consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid redirects with unprotected query params

Browse Source 
In theory it's possible to add a `host` parameter to a URL, and we could
end up redirecting to that host if we just redirect using query
parameters.

Generating the path using `url_for` with `only_path` solves the issue.

Note in the tests I'm using the `get` method because the `patch` method
wouldn't send query parameters. This doesn't mean the action can be
accessed through GET requests, since controller tests don't check route
verbs. Using feature specs doesn't seem to work because `controller` and
`host` parameters are filtered automatically in feature specs.

Also note I'm not testing every hidden/moderation controller because
they basically use the same code.
This commit is contained in:
Javi Martín
2019-11-10 15:27:20 +01:00
parent 667797161b
commit 50bdfd5488
5 changed files with 84 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/application_controller.rb
View File

@@ -122,6 +122,9 @@ class ApplicationController < ActionController::Base
end
def redirect_with_query_params_to(options, response_status = {})
redirect_to request.query_parameters.merge(options), response_status
path_options = { controller: params[:controller] }.merge(options).merge(only_path: true)
path = url_for(request.query_parameters.merge(path_options))
redirect_to path, response_status
end
end