github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-26 07:51:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: CSRF vulnerabilities in Admin::BackupsController.

Browse Source
This commit is contained in:
Guo Xiang Tan
2017-03-23 10:29:35 +08:00
parent 11ce73b8ed
commit 3ef82bb32c
4 changed files with 49 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/assets/javascripts/admin/models/backup.js.es6
View File

@ -34,15 +34,17 @@ Backup.reopenClass({
}, },
cancel() { cancel() {
return ajax("/admin/backups/cancel.json") return ajax("/admin/backups/cancel.json", {
.then(result => { type: 'DELETE'
if (!result.success) { bootbox.alert(result.message); } }).then(result => {
}); if (!result.success) { bootbox.alert(result.message); }
});
}, },
rollback() { rollback() {
return ajax("/admin/backups/rollback.json") return ajax("/admin/backups/rollback.json", {
.then(result => { type: 'POST'
}).then(result => {
if (!result.success) { if (!result.success) {
bootbox.alert(result.message); bootbox.alert(result.message);
} else { } else {

4
config/routes.rb
View File

@ -242,8 +242,8 @@ Discourse::Application.routes.draw do
collection do collection do
get "logs" => "backups#logs" get "logs" => "backups#logs"
get "status" => "backups#status" get "status" => "backups#status"
get "cancel" => "backups#cancel" delete "cancel" => "backups#cancel"
get "rollback" => "backups#rollback" post "rollback" => "backups#rollback"
put "readonly" => "backups#readonly" put "readonly" => "backups#readonly"
get "upload" => "backups#check_backup_chunk" get "upload" => "backups#check_backup_chunk"
post "upload" => "backups#upload_backup_chunk" post "upload" => "backups#upload_backup_chunk"

24
spec/controllers/admin/backups_controller_spec.rb
View File

@ -75,18 +75,6 @@ describe Admin::BackupsController do
end end
describe ".cancel" do
it "cancels an export" do
BackupRestore.expects(:cancel!)
xhr :delete, :cancel
expect(response).to be_success
end
end
describe ".show" do describe ".show" do
it "uses send_file to transmit the backup" do it "uses send_file to transmit the backup" do
@ -212,18 +200,6 @@ describe Admin::BackupsController do
end end
describe ".rollback" do
it "rolls back to previous working state" do
BackupRestore.expects(:rollback!)
xhr :get, :rollback
expect(response).to be_success
end
end
describe ".readonly" do describe ".readonly" do
it "enables readonly mode" do it "enables readonly mode" do

39
spec/integration/admin/backups_spec.rb Normal file
View File

@ -0,0 +1,39 @@
require 'rails_helper'
RSpec.describe "Managing Backups" do
let(:admin) { Fabricate(:admin) }
before do
sign_in(admin)
end
describe 'rolling back a restore' do
it 'should rollback the restore' do
BackupRestore.expects(:rollback!)
post "/admin/backups/rollback.json"
expect(response).to be_success
end
it 'should not allow rollback via a GET request' do
expect { get "/admin/backups/rollback.json" }
.to raise_error(ActionController::RoutingError)
end
end
describe 'cancelling a backup' do
it "should cancel an backup" do
BackupRestore.expects(:cancel!)
delete "/admin/backups/cancel.json"
expect(response).to be_success
end
it 'should not allow cancel via a GET request' do
expect { get "/admin/backups/cancel.json" }
.to raise_error(ActionController::RoutingError)
end
end
end