fix for security issue

2024-11-28 18:37:25 +08:00 · 2024-11-28 18:37:25 +08:00 · 5fde95565a
parent f71fcdcefa
commit 5fde95565a
1 changed files with 14 additions and 0 deletions
--- a/app/controllers/property_hires_controller.rb
+++ b/app/controllers/property_hires_controller.rb
@ -367,6 +367,9 @@ class PropertyHiresController < ApplicationController


  def get_bookings
+    if !(valid_timestamp?(params[:start]) && valid_timestamp?(params[:end]))
+      return render json: {}, status: :unprocessable_entity
+    end
    events =[]
    allevents = []
    if params[:property_id] == "all"
@ -667,4 +670,15 @@ class PropertyHiresController < ApplicationController
    return allevents
  end

+  def valid_timestamp?(number)
+    begin
+      # Ensure the input is numeric and within a practical range
+      number = Integer(number) rescue Float(number)
+      min_timestamp = Time.new(1900, 1, 1).to_i
+      max_timestamp = Time.new(3000, 12, 31).to_i
+      number >= min_timestamp && number <= max_timestamp
+    rescue ArgumentError, TypeError
+      false
+    end
+  end
 end