saurabh
/
announcement-test
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-10-24 16:38:47 +08:00
parent 779d49f128
commit 1439556e13
8 changed files with 10043 additions and 2679 deletions
app
assets/javascripts/bulletin
wpex.jswpex.min.js
controllers
announcement_feeds_controller.rb
models
bulletin.rb
temp_file
app
controllers/admin
sites_controller.rb
helpers/admin
gmail_helper.rbplayground_helper.rb
config
application.rb

10007
app/assets/javascripts/bulletin/wpex.js Normal file
View File

File diff suppressed because it is too large Load Diff

2657
app/assets/javascripts/bulletin/wpex.min.js vendored
View File

File diff suppressed because one or more lines are too long

8
app/controllers/announcement_feeds_controller.rb
View File

@ -3,7 +3,7 @@ class AnnouncementFeedsController < ApplicationController
include Admin::AnnouncementsHelper
def feed_add_remote
if params[:url].present?
uid = params[:uid]
uid = params[:uid].to_s
bulletin_feed = BulletinFeed.where(uid: uid).first
if !(bulletin_feed.remote_urls.include?(params[:url]))
bulletin_feed.remote_urls << params[:url]
@ -14,7 +14,7 @@ class AnnouncementFeedsController < ApplicationController
end
def feed_remove_remote
if params[:url].present?
uid = params[:uid]
uid = params[:uid].to_s
bulletin_feed = BulletinFeed.where(uid: uid).first
if bulletin_feed.remote_urls.delete(params[:url])
bulletin_feed.save
@ -23,7 +23,7 @@ class AnnouncementFeedsController < ApplicationController
render :json => {success: true}
end
def feed
uid = params[:uid]
uid = params[:uid].to_s
startdt = params[:start].blank? ? nil : params[:start]
enddt = params[:end].blank? ? nil : params[:end]
dt = params[:date].blank? ? nil : params[:date]
@ -46,7 +46,7 @@ class AnnouncementFeedsController < ApplicationController
end
def rssfeed
uid = params[:uid]
uid = params[:uid].to_s
@bf = BulletinFeed.find_by(:uid => uid) rescue nil
if !@bf.nil?
tags = @bf.tag_ids

2
app/models/bulletin.rb
View File

@ -543,7 +543,7 @@ class Bulletin
http = Net::HTTP.new(new_uri.host, new_uri.port)
if location.include?('https')
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
request.instance_variable_set(:@path, new_uri.path)
response = self.http_request(http, request)

12
temp_file/app/controllers/admin/sites_controller.rb
View File

@ -130,11 +130,13 @@ class Admin::SitesController < OrbitAdminController
end
def system_info
@disk_free = `df -h /`.gsub("\n","<br/>").html_safe
@nginx_version = %x[/usr/sbin/nginx -v 2>&1].gsub("\n","<br/>").html_safe
@mongo_version = `mongod --version`.split("\n")[0].html_safe
@linux_version = `lsb_release -d`.split(":")[1].html_safe rescue "Not Applicable"
@disk_free = `df -h /`.rstrip()
@nginx_version = %x[/usr/sbin/nginx -v 2>&1].rstrip()
@mongo_version = (Mongoid.default_client.command(buildInfo: 1).first[:version] rescue '')
@linux_version = `lsb_release -ds`.rstrip()
if @linux_version.blank?
@linux_version = "Not Applicable"
end
if !params[:user_logs].nil?
@user_page = params[:page].to_i

2
temp_file/app/helpers/admin/gmail_helper.rb
View File

@ -60,7 +60,7 @@ module Admin::GmailHelper
res_net = Net::HTTP.start(uri.host, uri.port,
:use_ssl => uri.scheme == 'https',
open_timeout: 60,read_timeout: 60,
verify_mode: OpenSSL::SSL::VERIFY_NONE) do |http|
verify_mode: OpenSSL::SSL::VERIFY_PEER) do |http|
req = Net::HTTP::Post.new(uri)
req.content_type='application/x-www-form-urlencoded'
req_params.each do |k,v|

32
temp_file/app/helpers/admin/playground_helper.rb
View File

@ -1,5 +1,15 @@
module Admin::PlaygroundHelper
require 'securerandom'
def secure_rand_number(max_num)
if max_num.is_a?(Range)
min_num = max_num.begin.to_i
offset = max_num.exclude_end? ? 0 : 1
max_num = max_num.end.to_i - min_num + offset
min_num + SecureRandom.random_number(max_num)
else
SecureRandom.random_number(max_num.to_i)
end
end
def make_announcement_fake_data(ma, total_count=5)
page = Page.Where(:module => ma.key).first rescue nil
if page.nil?
@ -32,13 +42,13 @@ module Admin::PlaygroundHelper
bulletin.remote_image_url = get_fake_image_url(ma.key)
bulletin.save
fake_ids << bulletin.id
(1..rand(1..5)).each do |x|
(1..secure_rand_number(1..5)).each do |x|
bf = BulletinFile.new(:title_translations => get_random_title, :description_translations => get_random_title)
bf.remote_file_url = get_fake_file_url(ma.key)
bf.bulletin = bulletin
bf.save
end
(1..rand(1..5)).each do |x|
(1..secure_rand_number(1..5)).each do |x|
bl = BulletinLink.new(:title_translations => get_random_title, :url => get_fake_link)
bl.bulletin = bulletin
bl.save
@ -70,7 +80,7 @@ module Admin::PlaygroundHelper
banner.category = cat
banner.save
fake_ids << banner.id
(1..rand(2..4)).each do |x|
(1..secure_rand_number(2..4)).each do |x|
image = AdImage.new(:title_translations => get_random_title, :context_translations => get_random_title, :out_link => get_fake_link, :deadline => get_fake_date, :sort_number => x, :link_open => AdImage::LINK_OPEN_TYPES.sample)
image.remote_file_url = get_fake_image_url(ma.key)
image.banner = banner
@ -116,13 +126,13 @@ module Admin::PlaygroundHelper
qa.tags=tag
qa.save
fake_ids << qa.id
(1..rand(1..5)).each do |x|
(1..secure_rand_number(1..5)).each do |x|
qf = QaFile.new(:title_translations => get_random_title, :description_translations => get_random_title)
qf.remote_file_url = get_fake_file_url(ma.key)
qf.qa = qa
qf.save
end
(1..rand(1..5)).each do |x|
(1..secure_rand_number(1..5)).each do |x|
ql = QaLink.new(:title_translations => get_random_title, :url => get_fake_link)
ql.qa = qa
ql.save
@ -167,7 +177,7 @@ module Admin::PlaygroundHelper
archive.tags=tag
archive.save
fake_ids << archive.id
(1..rand(1..5)).each do |x|
(1..secure_rand_number(1..5)).each do |x|
afm = ArchiveFileMultiple.new(:file_title_translations => get_random_title, :sort_number => x)
afm.remote_file_url = get_fake_file_url(ma.key)
afm.archive_file = archive
@ -213,7 +223,7 @@ module Admin::PlaygroundHelper
album.category = cat
album.save
fake_ids << album.id
(1..rand(5..10)).each do |x|
(1..secure_rand_number(5..10)).each do |x|
image = AlbumImage.new(:title => get_random_title["zh_tw"], :description_translations => get_random_title, :order => x)
image.remote_file_url = get_fake_image_url(ma.key)
image.album = album
@ -271,7 +281,7 @@ module Admin::PlaygroundHelper
end
def get_fake_date(no=100)
Time.now + rand(1..no).days
Time.now + secure_rand_number(1..no).days
end
def get_fake_link
@ -289,11 +299,11 @@ module Admin::PlaygroundHelper
end
def get_fake_file_url(key)
OrbitStore::URL + "/fake_data/#{key}/files/" + rand(1..5).to_s + ".txt"
OrbitStore::URL + "/fake_data/#{key}/files/" + secure_rand_number(1..5).to_s + ".txt"
end
def get_fake_image_url(key)
OrbitStore::URL + "/fake_data/#{key}/images/" + rand(1..15).to_s + ".jpg"
OrbitStore::URL + "/fake_data/#{key}/images/" + secure_rand_number(1..15).to_s + ".jpg"
end
def get_random_status

2
temp_file/config/application.rb
View File

@ -250,7 +250,7 @@ module Orbit
request = ActionDispatch::Request.new(env)
request_path = env["REQUEST_PATH"].to_s.sub(/^\/#{I18n.locale}\//, '/')
session = env["rack.session"]
if Rails.env != "production" && request_path.start_with?('/admin') && (@current_user = (session[:user_id] ? User.find(session[:user_id]) : nil) rescue nil)
if (Site::DEBUG rescue false) || (Rails.env != "production" && request_path.start_with?('/admin') && (@current_user = (session[:user_id] ? User.find(session[:user_id]) : nil) rescue nil))
exception = env['action_dispatch.exception']
@routes_app = env["action_dispatch.routes"]
if Is_Rails5