github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-28 22:08:01 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Impose a upper bound on limit params in various controllers

Browse Source 
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
This commit is contained in:
Alan Guo Xiang Tan
2023-07-28 12:53:46 +01:00
committed by David Taylor
parent 0976c8fad6
commit bfc3132bb2
32 changed files with 232 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/notifications_controller.rb
View File

@ -5,6 +5,8 @@ class NotificationsController < ApplicationController
before_action :ensure_admin, only: %i[create update destroy]
before_action :set_notification, only: %i[update destroy]
INDEX_LIMIT = 50
def index
user =
if params[:username] && !params[:recent]
@ -25,8 +27,7 @@ class NotificationsController < ApplicationController
end
if params[:recent].present?
limit = (params[:limit] || 15).to_i
limit = 50 if limit > 50
limit = fetch_limit_from_params(default: 15, max: INDEX_LIMIT)
include_reviewables = false