restarone / violet_rails

an app engine for your business. Seamlessly implement business logic with a powerful API. Out of the box CMS, blog, forum and email functionality. Developer friendly & easily extendable for your next SaaS/XaaS project. Built with Rails 6, Devise, Sidekiq & PostgreSQL

https://violet.restarone.solutions

MIT License

95 stars 43 forks source link

sanitize method/model definitions coming into Violet Rails of things like: Subdomain, Apartment, Tenant, switch, SomeModel.destroy_all, SomeModel.update_all, global_admin, can_manage_users #570

Closed alis-khadka closed 2 years ago

alis-khadka commented 2 years ago

We are using 'eval(#custom code)' in our code. We need to implement a way to scrub method/model definitions coming into Violet Rails of things like: Subdomain, Apartment, Tenant, switch, Subdomain.destroy_all, Subdomain.update_all, global_admin, can_manage_users, -- so we can open this upto platform developers on subdomains instead of whole systems (like how we have it now, because of this vulnerability).

donrestarone commented 2 years ago

ExternalApiClient has a column called model_definition

implement this as a before_save validation where we would gsub / replace all the restricted strings with something (which breaks the malicious code)

donrestarone commented 2 years ago

external_api_clients => model_definition

https://github.com/restarone/violet_rails/blob/master/app/models/api_action.rb#L64-L67