Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-11-01 21:08:45 +08:00
parent bdb02aa184
commit 97884844bf
2 changed files with 7 additions and 6 deletions

View File

@ -8,7 +8,7 @@ class Admin::PersonalPluginFieldsController < OrbitMemberController
end end
def new def new
@member = MemberProfile.find_by(:uid=>params['uid']) rescue nil @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
@personal_plugin_field = PersonalPluginField.new @personal_plugin_field = PersonalPluginField.new
end end
def download def download
@ -16,19 +16,20 @@ class Admin::PersonalPluginFieldsController < OrbitMemberController
FileUtils.mkdir_p(zip_path) if !Dir.exist?(zip_path) FileUtils.mkdir_p(zip_path) if !Dir.exist?(zip_path)
personal_plugin_field = PersonalPluginField.find(params[:personal_plugin_field_id]) rescue nil personal_plugin_field = PersonalPluginField.find(params[:personal_plugin_field_id]) rescue nil
if personal_plugin_field if personal_plugin_field
zip_file_path = zip_path + "#{personal_plugin_field.module_name.split('/').last}.zip" module_name = File.basename(personal_plugin_field.module_name)
zip_file= ZipFileGenerator.new(zip_path + personal_plugin_field.module_name ,zip_file_path) zip_file_path = zip_path + "#{module_name}.zip"
zip_file= ZipFileGenerator.new(zip_path + module_name ,zip_file_path)
begin begin
zip_file.write zip_file.write
rescue rescue
File.delete(zip_path + "#{personal_plugin_field.module_name}.zip") File.delete(zip_path + "#{module_name}.zip")
zip_file.write zip_file.write
end end
send_file(zip_file_path) send_file(zip_file_path)
end end
end end
def copy def copy
@member = MemberProfile.find_by(:uid=>params['uid']) rescue nil @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
attributes = PersonalPluginField.find(params[:personal_plugin_field_id]).attributes rescue {} attributes = PersonalPluginField.find(params[:personal_plugin_field_id]).attributes rescue {}
attributes = attributes.except("_id") attributes = attributes.except("_id")
copy_attributes = {} copy_attributes = {}

View File

@ -119,7 +119,7 @@ class PersonalPluginTemplatesController < ApplicationController
plugin_templates = plugin_templates.where(:id.in=>tmp_plugin_templates.map{|p| p.id}) plugin_templates = plugin_templates.where(:id.in=>tmp_plugin_templates.map{|p| p.id})
elsif select_field.split(".").count > 1 elsif select_field.split(".").count > 1
relate_name = select_field.split(".").first relate_name = select_field.split(".").first
field_name = select_field.split(".").last field_name = select_field.split(".").last.gsub(/^\$+/, '')
relate = relate_name.classify.constantize relate = relate_name.classify.constantize
relate_ids = relate.where(field_name=>/#{gsub_invalid_character(keywords)}/).pluck(:id) relate_ids = relate.where(field_name=>/#{gsub_invalid_character(keywords)}/).pluck(:id)
plugin_templates = plugin_templates.where("#{relate_name.singularize}_id"=>{'$in'=>relate_ids}) plugin_templates = plugin_templates.where("#{relate_name.singularize}_id"=>{'$in'=>relate_ids})