SECURITY: disable user entered badge SQL by default

- Hidden site settings now must be change via rails console
2025-05-22 20:41:24 +08:00 · 2016-07-28 09:03:00 +10:00
parent cb3afd11b4
commit c6dbaca0dc
6 changed files with 110 additions and 41 deletions
--- a/app/controllers/admin/badges_controller.rb
+++ b/app/controllers/admin/badges_controller.rb
@ -15,6 +15,12 @@ class Admin::BadgesController < Admin::AdminController
  end

  def preview
+
+    unless SiteSetting.enable_badge_sql
+      render json: "preview not allowed", status: 403
+      return
+    end
+
    render json: BadgeGranter.preview(params[:sql],
                                      target_posts: params[:target_posts] == "true",
                                      explain: params[:explain] == "true",
@ -95,6 +101,8 @@ class Admin::BadgesController < Admin::AdminController
        allowed = Badge.column_names.map(&:to_sym)
        allowed -= [:id, :created_at, :updated_at, :grant_count]
        allowed -= Badge.protected_system_fields if badge.system?
+        allowed -= [:query] unless SiteSetting.enable_badge_sql
+
        params.permit(*allowed)

        allowed.each do |key|
@ -103,7 +111,9 @@ class Admin::BadgesController < Admin::AdminController

        # Badge query contract checks
        begin
-          BadgeGranter.contract_checks!(badge.query, { target_posts: badge.target_posts, trigger: badge.trigger })
+          if SiteSetting.enable_badge_sql
+            BadgeGranter.contract_checks!(badge.query, { target_posts: badge.target_posts, trigger: badge.trigger })
+          end
        rescue => e
          errors << e.message
          raise ActiveRecord::Rollback
--- a/app/controllers/admin/site_settings_controller.rb
+++ b/app/controllers/admin/site_settings_controller.rb
@ -10,6 +10,10 @@ class Admin::SiteSettingsController < Admin::AdminController
    value = params[id]
    value.strip! if value.is_a?(String)
    begin
+      # note, as of Ruby 2.3 symbols are GC'd so this is considered safe
+      if SiteSetting.hidden_settings.include?(id.to_sym)
+        raise Discourse::InvalidParameters, "You are not allowed to change hidden settings"
+      end
      SiteSetting.set_and_log(id, value, current_user)
      render nothing: true
    rescue Discourse::InvalidParameters => e