Fix various security vulnerabilities

YaleSTC / reservations

Manage equipment loans & reservations. Who can borrow what, for how long?

yalestc.github.io/reservations

MIT License

139 stars 58 forks source link

Fix various security vulnerabilities #1679

Closed esoterik closed 7 years ago

esoterik commented 7 years ago

Resolves #1632, #1631, #1630, #1628

Properly use protect_from_forgery
Restrict dynamically-generated class names to only expected classes
Fix CSRF vuln in StatusController
Fix SQL injection vuln in reservation date scopes
Fix XSS vulns
Replace calls to #html_safe with #sanitize
Document vulns reported by brakeman that no longer pose risks

esoterik commented 7 years ago

Rubocop is going to flag the new uses of #raw and #html_safe as issues, but all calls to those methods are on either strings that are known to be safe (e.g. not user input / hard-coded strings), or on sanitized user input.

@orenyk this is ready for another review!