thoherr / brickevent

Registration and event management of the LUG Bricking Bavaria (and others)
4 stars 0 forks source link

Fix code scanning alert no. 8: Uncontrolled data used in path expression #116

Closed thoherr closed 1 week ago

thoherr commented 1 week ago

Fixes https://github.com/thoherr/brickevent/security/code-scanning/8

To fix the problem, we need to validate and sanitize the user input before using it to construct a file path. We can use the ActiveStorage::Filename#sanitized method in Rails to ensure that the file name is safe to use. This method will remove any potentially dangerous characters from the file name.

  1. In the EventsController, sanitize the params[:file] before passing it to the CsvExhibitImport service.
  2. Update the CsvExhibitImport service to handle the sanitized file name.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.