SECURITY: disable user entered badge SQL by default

- Hidden site settings now must be change via rails console
2025-05-21 18:12:32 +08:00 · 2016-07-28 09:03:00 +10:00
parent cb3afd11b4
commit c6dbaca0dc
6 changed files with 110 additions and 41 deletions
--- a/app/controllers/admin/badges_controller.rb
+++ b/app/controllers/admin/badges_controller.rb
@ -15,6 +15,12 @@ class Admin::BadgesController < Admin::AdminController
  end

  def preview
+
+    unless SiteSetting.enable_badge_sql
+      render json: "preview not allowed", status: 403
+      return
+    end
+
    render json: BadgeGranter.preview(params[:sql],
                                      target_posts: params[:target_posts] == "true",
                                      explain: params[:explain] == "true",
@ -95,6 +101,8 @@ class Admin::BadgesController < Admin::AdminController
        allowed = Badge.column_names.map(&:to_sym)
        allowed -= [:id, :created_at, :updated_at, :grant_count]
        allowed -= Badge.protected_system_fields if badge.system?
+        allowed -= [:query] unless SiteSetting.enable_badge_sql
+
        params.permit(*allowed)

        allowed.each do |key|
@ -103,7 +111,9 @@ class Admin::BadgesController < Admin::AdminController

        # Badge query contract checks
        begin
-          BadgeGranter.contract_checks!(badge.query, { target_posts: badge.target_posts, trigger: badge.trigger })
+          if SiteSetting.enable_badge_sql
+            BadgeGranter.contract_checks!(badge.query, { target_posts: badge.target_posts, trigger: badge.trigger })
+          end
        rescue => e
          errors << e.message
          raise ActiveRecord::Rollback