Closed vulnerability in render path

just3ws · just3ws · commit 7a5fb58f995e · 2014-05-15T17:15:38.000-05:00
diff --git a/app/controllers/networks_controller.rb b/app/controllers/networks_controller.rb
@@ -25,13 +25,13 @@ def create
   end
 
   def index
+    @index_networks_params = params.permit(:sort, :action)
+
     @networks = Rails.cache.fetch('all_networks', expires_in: 1.day) { Network.all }
-    if params[:sort] == 'upvotes'
+    if @index_networks_params[:sort] == 'upvotes'
       Rails.cache.fetch('networks_by_upvotes', expires_in: 12.hours) { @networks.sort_by! { |network| -network.upvotes } }
-    elsif params[:sort] == 'newmembers'
+    elsif @index_networks_params[:sort] == 'newmembers'
       Rails.cache.fetch('networks_by_member_count', expires_in: 1.day) { @networks.sort_by! { |network| -network.new_members.count } }
-      #elsif params[:sort] == 'new'
-      #  @networks.sort_by(&:recent_protips_count)
     end
   end
 
@@ -208,4 +208,4 @@ def redirect_to_search
     tags = tags.map { |tag| "##{tag}" }.join(" ")
     redirect_to protips_path(search: tags, show_all: params[:show_all])
   end
-end
+end
diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
@@ -102,6 +102,7 @@ def edit
   def update
     update_params = params.permit(:id, :_id, :job_id, :slug)
     update_team_params = params.require(:team).permit!
+    @section_id = (params.permit(:section_id) || {})[:section_id]
 
     @team = Team.find(update_params[:id])
     return head(:forbidden) unless current_user.belongs_to_team?(@team) || current_user.admin?
diff --git a/app/views/networks/index.html.haml b/app/views/networks/index.html.haml
@@ -1,23 +1,23 @@
--content_for :mixpanel do
-  = record_event('viewed networks page', sort: (params[:sort] || :default))
+- content_for :mixpanel do
+  = record_event('viewed networks page', sort: (@index_networks_params[[:sort] || :default))
 
 = content_for :body_id do
   protip-multiple
 
 = content_for :content_wrapper do
   = false
 
-=content_for :javascript do
-  =javascript_include_tag 'protips'
-  =javascript_include_tag 'networks'
+= content_for :javascript do
+  = javascript_include_tag 'protips'
+  = javascript_include_tag 'networks'
   :javascript
     var mynetworks = #{current_user.nil? ? [] : current_user.networks.map(&:name)};
     for (i = 0; i < mynetworks.length; i++) {
       $('.network h2 a').filter(function(){return $(this).text().trim() == mynetworks[i]}).closest('.network').find('.join-or-leave').addClass('member')
     }
     $('.network h2 a').filter(function(){return mynetworks.indexOf($(this).text().trim()) < 0}).closest('.network').find('.join-or-leave').removeClass('member').addClass('join')
 
-=content_for :footer_menu do
+= content_for :footer_menu do
   %li=link_to 'Protips', by_tags_protips_path
 
 .inside-main-content.cf
@@ -26,7 +26,7 @@
     %li
       %a{href: networks_path, class: networks_sub_nav_class('') + networks_sub_nav_class('a_z')}
         A - Z
-    - if params[:action] == 'index'
+    - if @index_networks_params[:action] == 'index'
       %li.add-network
         =link_to('Add Network', add_network_url, class: '')
 
@@ -37,5 +37,5 @@
         Join some
         = link_to 'here', networks_path
         or from the list below
-      = render partial: determine_networks_partial(params[:sort]), locals: {networks_list: current_user.try(:networks_based_on_skills) || Network.most_protips.first(7), user: (defined?(@user) ? @user : nil)}
-    = render partial: determine_networks_partial(params[:sort]), locals: {networks_list: @networks, user: (defined?(@user) ? @user : nil)}
+      = render partial: determine_networks_partial(@index_networks_params[:sort]), locals: {networks_list: current_user.try(:networks_based_on_skills) || Network.most_protips.first(7), user: (defined?(@user) ? @user : nil)}
+    = render partial: determine_networks_partial(@index_networks_params[:sort]), locals: {networks_list: @networks, user: (defined?(@user) ? @user : nil)}
diff --git a/app/views/teams/update.js.erb b/app/views/teams/update.js.erb
@@ -1,10 +1,10 @@
 $('#dimmer').css('display', 'none').css('z-index', -1000);
-$('<%=params[:section_id]%>').replaceWith('<%=escape_javascript(render(:partial => partialify_html_section_id(params[:section_id])))%>');
-<% if params[:section_id] == '#office-images' %>
+$('<%= @section_id%>').replaceWith('<%=escape_javascript(render(:partial => partialify_html_section_id(@section_id)))%>');
+<% if @section_id == '#office-images' %>
 autoOrganizePhotos();
 <% end %>
 <% if @team.has_specified_enough_info? %>
 $('.add-job.disable').removeClass('disable').attr('href', '<%= add_job_path(@team) %>');
 <% else %>
 $('.add-job').addClass('disable').attr('href', '<%= add_job_path(@team) %>');
-<% end %>
+<% end %>
