Merge pull request from GHSA-2p5p-m353-833w

Previously, order parameters were passed directly through to the query. This meant that passing in `foo` via a URL string would try and sort by `foo`.
thoughtbot · Mar 13, 2020 · 3ab838b · 3ab838b
1 parent decf629
commit 3ab838b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/lib/administrate/order.rb b/lib/administrate/order.rb
@@ -2,7 +2,7 @@ module Administrate
   class Order
     def initialize(attribute = nil, direction = nil)
       @attribute = attribute
-      @direction = direction || :asc
+      @direction = sanitize_direction(direction)
     end
 
     def apply(relation)
@@ -34,6 +34,10 @@ def order_params_for(attr)
 
     attr_reader :attribute
 
+    def sanitize_direction(direction)
+      %w[asc desc].include?(direction.to_s) ? direction.to_sym : :asc
+    end
+
     def reversed_direction_param_for(attr)
       if ordered_by?(attr)
         opposite_direction
@@ -43,7 +47,7 @@ def reversed_direction_param_for(attr)
     end
 
     def opposite_direction
-      direction.to_sym == :asc ? :desc : :asc
+      direction == :asc ? :desc : :asc
     end
 
     def order_by_association(relation)

diff --git a/spec/lib/administrate/order_spec.rb b/spec/lib/administrate/order_spec.rb
@@ -51,6 +51,17 @@
         expect(relation).to have_received(:reorder).with("table_name.name desc")
         expect(ordered).to eq(relation)
       end
+
+      it "sanitizes arbitary direction parameters" do
+        order = Administrate::Order.new(:name, :foo)
+        relation = relation_with_column(:name)
+        allow(relation).to receive(:reorder).and_return(relation)
+
+        ordered = order.apply(relation)
+
+        expect(relation).to have_received(:reorder).with("table_name.name asc")
+        expect(ordered).to eq(relation)
+      end
     end
 
     context "when relation has_many association" do