Skip to content

Commit 7136fcd

Browse files
just3wsjust3ws
committed
Whitelist the parameters for pages based on which page/layouts are actually present
1 parent 227de58 commit 7136fcd

File tree

3 files changed

+52
-4
lines changed

3 files changed

+52
-4
lines changed

app/controllers/pages_controller.rb

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,27 @@
11
class PagesController < ApplicationController
2+
3+
24
def show
35
show_pages_params = params.permit(:page, :layout)
4-
render action: show_pages_params[:page], layout: (show_pages_params[:layout] || 'application')
6+
page_to_show = whitelist_page(show_pages_params[:page])
7+
8+
render action: page_to_show, layout: whitelist_layout(show_pages_params[:layout])
9+
end
10+
11+
private
12+
13+
# Checks whether the requested_page exists in app/views/pages/*.html.haml
14+
def whitelist_page(requested_page)
15+
raise "Invalid page: #{requested_page}" unless STATIC_PAGES.include?(requested_page)
16+
17+
requested_page
18+
end
19+
20+
def whitelist_layout(requested_layout)
21+
return 'application' if requested_layout.nil?
22+
23+
raise "Invalid layout: #{requested_layout}" unless STATIC_PAGE_LAYOUTS.include?(requested_layout)
24+
25+
requested_layout
526
end
627
end

config/initializers/pages.rb

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Look at the *.html.haml files in the app/views/pages directory
2+
STATIC_PAGES ||= Dir.glob('app/views/pages/*.html.{erb,haml}')
3+
.map { |f| File.basename(f, '.html.erb') }
4+
.map { |f| File.basename(f, '.html.haml') }
5+
.reject{ |f| f =~ /^_/ }
6+
.sort
7+
.uniq
8+
9+
# Look at the *.html.haml files in the app/views/pages directory
10+
STATIC_PAGE_LAYOUTS ||= Dir.glob('app/views/layouts/*.html.{erb,haml}')
11+
.map { |f| File.basename(f, '.html.erb') }
12+
.map { |f| File.basename(f, '.html.haml') }
13+
.reject{ |f| f =~ /^_/ }
14+
.sort
15+
.uniq

spec/controllers/pages_controller_spec.rb

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,24 @@
11
require 'spec_helper'
22

33
describe PagesController do
4-
54
it 'should be able to access privacy policy while user is logged in but not registered' do
65
unregisterd_user = Fabricate(:user, state: User::REGISTRATION)
76
controller.send :sign_in, unregisterd_user
8-
get :show, page: 'tos'
7+
get :show, page: 'tos', layout: 'application'
98
response.should be_success
109
end
1110

12-
end
11+
it 'fails when presented an non-whitelisted page' do
12+
unregisterd_user = Fabricate(:user, state: User::REGISTRATION)
13+
controller.send :sign_in, unregisterd_user
14+
15+
expect { get :show, page: 'IMNOTREAL' }.to raise_error 'Invalid page: IMNOTREAL'
16+
end
17+
18+
it 'fails when presented an non-whitelisted layout' do
19+
unregisterd_user = Fabricate(:user, state: User::REGISTRATION)
20+
controller.send :sign_in, unregisterd_user
21+
22+
expect { get :show, page: 'tos', layout: 'IMNOTREAL' }.to raise_error 'Invalid layout: IMNOTREAL'
23+
end
24+
end

0 commit comments

Comments
 (0)