consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check for valid segments before returning recipients

Browse Source 
We were getting a warning by CodeQL regarding a possible code injection
in the `send(segment)` code.

In practice, this wasn't a big deal because the `self.recipients` method
is only called in the admin section, meaning only admin users could try
to take advantage of the code injection, and because this code is rarely
called with an invalid segment due to several conditions in the code
checking that the user segment is valid, with the only exception being
the `generate_csv` action in the `Admin::EmailsDownloadController`.

In any case, now we're checking that the segment is valid before calling
the `send` method. Since now we're making sure that the segment is valid
in the `recipients` method itself, we can remove this check from methods
calling it.
This commit is contained in:
Javi Martín
2025-03-05 22:54:01 +01:00
parent 93ced85ca5
commit ad995f5a7c
3 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/admin_notification.rb
View File

@@ -13,7 +13,7 @@ class AdminNotification < ApplicationRecord
before_validation :complete_link_url
def list_of_recipients
UserSegments.recipients(segment_recipient) if valid_segment_recipient?
UserSegments.recipients(segment_recipient)
end
def valid_segment_recipient?