Clean up user input in routes

sas1ni69 · Sep 2, 2017 · 878fbda · 878fbda
1 parent 8661f4b
commit 878fbda
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 9 deletions.
diff --git a/app/helpers/session.rb b/app/helpers/session.rb
@@ -17,7 +17,7 @@ def current_user
 
       def login_url(return_path=nil)
         url = Github.login_url(client_id: github_client_id)
-        url << redirect_uri(return_path) if return_path
+        url << redirect_uri( Rack::Utils.escape_html(return_path) ) if return_path
         url
       end
 

diff --git a/app/routes/account.rb b/app/routes/account.rb
@@ -52,7 +52,7 @@ class Account < Core
 
         begin
           user_to_invite = ::User.find_by_username(params[:user_to_invite])
-          track = params[:track]
+          track = Rack::Utils.escape_html(params[:track])
 
           user_to_invite.present? or fail "couldn't find user for #{user_to_invite.username}"
           track.present? or fail "track cannot be blank"

diff --git a/app/routes/sessions.rb b/app/routes/sessions.rb
@@ -4,13 +4,13 @@ class Sessions < Core
       register ExercismWeb::Routes::GithubCallback
 
       get '/please-login' do
-        erb :"auth/please_login", locals: { return_path: params[:return_path] }
+        erb :"auth/please_login", locals: { return_path: Rack::Utils.escape_html(params[:return_path]) }
       end
 
       get '/login' do
         q = { client_id: github_client_id }
         if params.key?("return_path")
-          q[:redirect_uri] = [request.base_url, "github", "callback", params[:return_path]].join("/")
+          q[:redirect_uri] = [request.base_url, "github", "callback", Rack::Utils.escape_html(params[:return_path])].join("/")
         end
         redirect Github.login_url(q)
       end

diff --git a/app/routes/teams.rb b/app/routes/teams.rb
@@ -6,16 +6,17 @@ class Teams < Core
         please_login
 
         page = params[:page] || 1
+        q = Rack::Utils.escape_html(params["q"])
 
-        if params["q"].present?
-          tag = Tag.find_by(name: params["q"])
+        if q.present?
+          tag = Tag.find_by(name: q)
           teams = Team.search_public_with_tag(tag)
         else
           teams = Team.search_public
         end
 
         locals = {
-          tag: params["q"],
+          tag: q,
           teams: teams.paginate(page: page, per_page: 10),
         }.merge(teams_summary_for(current_user))
 
@@ -273,7 +274,7 @@ class Teams < Core
         only_for_team_managers(slug, "You are not allowed to add managers to the team.") do |team|
           user = ::User.find_by_username(params[:username])
           unless user.present?
-            flash[:error] = "Unable to find user #{params[:username]}"
+            flash[:error] = "Unable to find user #{Rack::Utils.escape_html(params[:username])}"
             redirect "/teams/#{slug}/manage"
           end
 

diff --git a/app/routes/user_exercises.rb b/app/routes/user_exercises.rb
@@ -33,7 +33,7 @@ class UserExercises < Core
         if params[:redirect].to_s.empty?
           redirect ["", "tracks", exercise.track_id, "exercises"].join('/')
         end
-        redirect params[:redirect]
+        redirect Rack::Utils.escape_html(params[:redirect])
       end
 
       post '/exercises/:key/archive' do |key|