Maintenance: Add note attribute sanitization to not yet checked models.

2021-04-12 11:49:26 +02:00 · 2021-04-12 11:49:26 +02:00 · d32ea5e0d3
parent 5e4084d908
commit d32ea5e0d3
40 changed files with 106 additions and 4 deletions
--- a/app/models/chat.rb
+++ b/app/models/chat.rb
@ -1,9 +1,13 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Chat < ApplicationModel
+  include ChecksHtmlSanitized
+
  validates :name, presence: true
  store     :preferences

+  sanitized_html :note
+
 =begin

 get the customer state of a chat
--- a/app/models/email_address.rb
+++ b/app/models/email_address.rb
@ -1,6 +1,7 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class EmailAddress < ApplicationModel
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasCollectionUpdate

@ -16,6 +17,8 @@ class EmailAddress < ApplicationModel
  after_update    :update_email_address_id
  before_destroy  :delete_group_reference

+  sanitized_html :note
+
  collection_push_permission('ticket.agent')

 =begin
--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -4,6 +4,7 @@ class Group < ApplicationModel
  include CanBeImported
  include HasActivityStreamLog
  include ChecksClientNotification
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasHistory
  include HasObjectManagerAttributesValidation
@ -16,5 +17,7 @@ class Group < ApplicationModel

  validates :name, presence: true

+  sanitized_html :note
+
  activity_stream_permission 'admin.group'
 end
--- a/app/models/history/object.rb
+++ b/app/models/history/object.rb
@ -1,4 +1,7 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class History::Object < ApplicationModel
+  include ChecksHtmlSanitized
+
+  sanitized_html :note
 end
--- a/app/models/job.rb
+++ b/app/models/job.rb
@ -3,6 +3,7 @@
 class Job < ApplicationModel
  include ChecksClientNotification
  include ChecksConditionValidation
+  include ChecksHtmlSanitized
  include ChecksPerformValidation

  include Job::Assets
@ -15,6 +16,8 @@ class Job < ApplicationModel
  before_create :updated_matching, :update_next_run_at
  before_update :updated_matching, :update_next_run_at

+  sanitized_html :note
+
 =begin

 verify each job if needed to run (e. g. if true and times are matching) and execute it
--- a/app/models/link/object.rb
+++ b/app/models/link/object.rb
@ -1,5 +1,9 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Link::Object < ApplicationModel
+  include ChecksHtmlSanitized
+
  validates :name, presence: true
+
+  sanitized_html :note
 end
--- a/app/models/link/type.rb
+++ b/app/models/link/type.rb
@ -1,5 +1,9 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Link::Type < ApplicationModel
+  include ChecksHtmlSanitized
+
  validates :name, presence: true
+
+  sanitized_html :note
 end
--- a/app/models/macro.rb
+++ b/app/models/macro.rb
@ -2,6 +2,7 @@

 class Macro < ApplicationModel
  include ChecksClientNotification
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include CanSeed
  include HasCollectionUpdate
@ -12,5 +13,7 @@ class Macro < ApplicationModel

  has_and_belongs_to_many :groups, after_add: :cache_update, after_remove: :cache_update, class_name: 'Group'

+  sanitized_html :note
+
  collection_push_permission('ticket.agent')
 end
--- a/app/models/notification.rb
+++ b/app/models/notification.rb
@ -1,4 +1,7 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Notification < ApplicationModel
+  include ChecksHtmlSanitized
+
+  sanitized_html :note
 end
--- a/app/models/permission.rb
+++ b/app/models/permission.rb
@ -2,6 +2,7 @@

 class Permission < ApplicationModel
  include ChecksClientNotification
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasCollectionUpdate

@ -9,6 +10,8 @@ class Permission < ApplicationModel
  validates               :name, presence: true
  store                   :preferences

+  sanitized_html :note
+
 =begin

  permissions = Permission.with_parents('some_key.sub_key')
--- a/app/models/postmaster_filter.rb
+++ b/app/models/postmaster_filter.rb
@ -1,6 +1,8 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class PostmasterFilter < ApplicationModel
+  include ChecksHtmlSanitized
+
  store     :perform
  store     :match
  validates :name, presence: true
@ -8,6 +10,8 @@ class PostmasterFilter < ApplicationModel
  before_create :validate_condition
  before_update :validate_condition

+  sanitized_html :note
+
  def validate_condition
    raise Exceptions::UnprocessableEntity, 'Min. one match rule needed!' if match.blank?

--- a/app/models/role.rb
+++ b/app/models/role.rb
@ -4,6 +4,7 @@ class Role < ApplicationModel
  include CanBeImported
  include HasActivityStreamLog
  include ChecksClientNotification
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasGroups
  include HasCollectionUpdate
@ -29,6 +30,8 @@ class Role < ApplicationModel

  activity_stream_permission 'admin.role'

+  sanitized_html :note
+
 =begin

 grant permission to role
--- a/app/models/scheduler.rb
+++ b/app/models/scheduler.rb
@ -1,8 +1,12 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Scheduler < ApplicationModel
+  include ChecksHtmlSanitized
+
  extend ::Mixin::StartFinishLogger

+  sanitized_html :note
+
  # rubocop:disable Style/ClassVars
  @@jobs_started = {}
  # rubocop:enable Style/ClassVars
--- a/app/models/signature.rb
+++ b/app/models/signature.rb
@ -8,7 +8,7 @@ class Signature < ApplicationModel
  has_many  :groups,  after_add: :cache_update, after_remove: :cache_update
  validates :name,    presence: true

-  sanitized_html :body
+  sanitized_html :body, :note

  collection_push_permission('ticket.agent')
 end
--- a/app/models/store/object.rb
+++ b/app/models/store/object.rb
@ -2,6 +2,10 @@

 class Store < ApplicationModel
  class Object < ApplicationModel
+    include ChecksHtmlSanitized
+
    validates :name, presence: true
+
+    sanitized_html :note
  end
 end
--- a/app/models/text_module.rb
+++ b/app/models/text_module.rb
@ -11,7 +11,7 @@ class TextModule < ApplicationModel
  before_create  :validate_content
  before_update  :validate_content

-  sanitized_html :content
+  sanitized_html :content, :note

  csv_delete_possible true

--- a/app/models/ticket/article/sender.rb
+++ b/app/models/ticket/article/sender.rb
@ -1,8 +1,11 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Ticket::Article::Sender < ApplicationModel
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasCollectionUpdate

  validates :name, presence: true
+
+  sanitized_html :note
 end
--- a/app/models/ticket/article/type.rb
+++ b/app/models/ticket/article/type.rb
@ -1,8 +1,11 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 class Ticket::Article::Type < ApplicationModel
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasCollectionUpdate

  validates :name, presence: true
+
+  sanitized_html :note
 end
--- a/app/models/ticket/priority.rb
+++ b/app/models/ticket/priority.rb
@ -2,6 +2,7 @@

 class Ticket::Priority < ApplicationModel
  include CanBeImported
+  include ChecksHtmlSanitized
  include HasCollectionUpdate
  include HasSearchIndexBackend

@ -12,6 +13,8 @@ class Ticket::Priority < ApplicationModel
  after_update  :ensure_defaults
  after_destroy :ensure_defaults

+  sanitized_html :note
+
  attr_accessor :callback_loop

  def ensure_defaults
--- a/app/models/ticket/state.rb
+++ b/app/models/ticket/state.rb
@ -2,6 +2,7 @@

 class Ticket::State < ApplicationModel
  include CanBeImported
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasCollectionUpdate
  include HasSearchIndexBackend
@ -15,6 +16,8 @@ class Ticket::State < ApplicationModel

  validates :name, presence: true

+  sanitized_html :note
+
  attr_accessor :callback_loop

 =begin
--- a/app/models/ticket/state_type.rb
+++ b/app/models/ticket/state_type.rb
@ -2,9 +2,12 @@

 class Ticket::StateType < ApplicationModel
  include CanBeImported
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved

  has_many :states, class_name: 'Ticket::State', inverse_of: :state_type

  validates :name, presence: true
+
+  sanitized_html :note
 end
--- a/app/models/trigger.rb
+++ b/app/models/trigger.rb
@ -2,6 +2,7 @@

 class Trigger < ApplicationModel
  include ChecksConditionValidation
+  include ChecksHtmlSanitized
  include ChecksPerformValidation
  include CanSeed

@ -10,4 +11,6 @@ class Trigger < ApplicationModel
  store     :condition
  store     :perform
  validates :name, presence: true
+
+  sanitized_html :note
 end
--- a/app/models/webhook.rb
+++ b/app/models/webhook.rb
@ -2,6 +2,7 @@

 class Webhook < ApplicationModel
  include ChecksClientNotification
+  include ChecksHtmlSanitized
  include ChecksLatestChangeObserved
  include HasCollectionUpdate

@ -10,6 +11,8 @@ class Webhook < ApplicationModel
  validates :name, presence: true
  validate :validate_endpoint

+  sanitized_html :note
+
  private

  def validate_endpoint
--- a/spec/models/chat_spec.rb
+++ b/spec/models/chat_spec.rb
@ -1,8 +1,10 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 require 'rails_helper'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Chat, type: :model do
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :chat

  describe 'website whitelisting' do
    let(:chat) { create(:chat, whitelisted_websites: 'zammad.org') }
--- a/spec/models/email_address_spec.rb
+++ b/spec/models/email_address_spec.rb
@ -2,11 +2,13 @@

 require 'rails_helper'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe EmailAddress, type: :model do
  subject(:email_address) { create(:email_address) }

  it_behaves_like 'HasCollectionUpdate', collection_factory: :email_address
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :email_address

  describe 'Attributes:' do
    describe '#active' do
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@ -6,6 +6,7 @@ require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/has_object_manager_attributes_validation_examples'
 require 'models/concerns/has_collection_update_examples'
 require 'models/concerns/has_ticket_create_screen_impact_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Group, type: :model do
  it_behaves_like 'ApplicationModel'
@ -13,4 +14,5 @@ RSpec.describe Group, type: :model do
  it_behaves_like 'HasObjectManagerAttributesValidation'
  it_behaves_like 'HasCollectionUpdate', collection_factory: :group
  it_behaves_like 'HasTicketCreateScreenImpact', create_screen_factory: :group
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :group
 end
--- a/spec/models/job_spec.rb
+++ b/spec/models/job_spec.rb
@ -2,11 +2,13 @@

 require 'rails_helper'
 require 'models/application_model_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Job, type: :model do
  subject(:job) { create(:job) }

  it_behaves_like 'ApplicationModel', can_assets: { selectors: %i[condition perform] }
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :job

  describe 'Class methods:' do
    describe '.run' do
--- a/spec/models/macro_spec.rb
+++ b/spec/models/macro_spec.rb
@ -2,7 +2,9 @@

 require 'rails_helper'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Macro, type: :model do
  it_behaves_like 'HasCollectionUpdate', collection_factory: :macro
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :macro
 end
--- a/spec/models/permission_spec.rb
+++ b/spec/models/permission_spec.rb
@ -2,9 +2,11 @@

 require 'rails_helper'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Permission, type: :model do
  it_behaves_like 'HasCollectionUpdate', collection_factory: :permission
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :permission

  describe '.with_parents' do
    context 'when given a simple string (no dots)' do
--- a/spec/models/role_spec.rb
+++ b/spec/models/role_spec.rb
@ -6,6 +6,7 @@ require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/has_groups_examples'
 require 'models/concerns/has_collection_update_examples'
 require 'models/concerns/has_ticket_create_screen_impact_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Role do
  subject(:role) { create(:role) }
@ -15,6 +16,7 @@ RSpec.describe Role do
  it_behaves_like 'HasGroups', group_access_factory: :role
  it_behaves_like 'HasCollectionUpdate', collection_factory: :role
  it_behaves_like 'HasTicketCreateScreenImpact', create_screen_factory: :role
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :role

  describe 'Default state' do
    describe 'of whole table:' do
--- a/spec/models/scheduler_spec.rb
+++ b/spec/models/scheduler_spec.rb
@ -1,10 +1,10 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 require 'rails_helper'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Scheduler do

-  let(:test_backend_name) { 'SpecSpace::DelayedJobBackend' }
  let(:test_backend_class) do
    Class.new do
      def self.start
@ -22,11 +22,14 @@ RSpec.describe Scheduler do
      end
    end
  end
+  let(:test_backend_name) { 'SpecSpace::DelayedJobBackend' }

  before do
    stub_const test_backend_name, test_backend_class
  end

+  it_behaves_like 'HasXssSanitizedNote', model_factory: :scheduler
+
  describe '.failed_jobs' do

    it 'does list failed jobs' do
--- a/spec/models/signature_spec.rb
+++ b/spec/models/signature_spec.rb
@ -2,7 +2,9 @@

 require 'rails_helper'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Signature, type: :model do
  it_behaves_like 'HasCollectionUpdate', collection_factory: :signature
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :signature
 end
--- a/spec/models/ticket/article/sender_spec.rb
+++ b/spec/models/ticket/article/sender_spec.rb
@ -2,7 +2,9 @@

 require 'rails_helper'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Ticket::Article::Sender, type: :model do
  it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_article_sender
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_article_sender
 end
--- a/spec/models/ticket/article/type_spec.rb
+++ b/spec/models/ticket/article/type_spec.rb
@ -2,7 +2,9 @@

 require 'rails_helper'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Ticket::Article::Type, type: :model do
  it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_article_type
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_article_type
 end
--- a/spec/models/ticket/priority_spec.rb
+++ b/spec/models/ticket/priority_spec.rb
@ -4,11 +4,13 @@ require 'rails_helper'
 require 'models/application_model_examples'
 require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Ticket::Priority, type: :model do
  it_behaves_like 'ApplicationModel'
  it_behaves_like 'CanBeImported'
  it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_priority
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_priority

  describe 'Default state' do
    describe 'of whole table:' do
--- a/spec/models/ticket/state_spec.rb
+++ b/spec/models/ticket/state_spec.rb
@ -4,11 +4,13 @@ require 'rails_helper'
 require 'models/application_model_examples'
 require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/has_collection_update_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Ticket::State, type: :model do
  it_behaves_like 'ApplicationModel'
  it_behaves_like 'CanBeImported'
  it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_state
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_state

  describe 'Default state' do
    describe 'of whole table:' do
--- a/spec/models/ticket/state_type_spec.rb
+++ b/spec/models/ticket/state_type_spec.rb
@ -3,8 +3,10 @@
 require 'rails_helper'
 require 'models/application_model_examples'
 require 'models/concerns/can_be_imported_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Ticket::StateType, type: :model do
  it_behaves_like 'ApplicationModel'
  it_behaves_like 'CanBeImported'
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :'ticket/state_type'
 end
--- a/spec/models/trigger_spec.rb
+++ b/spec/models/trigger_spec.rb
@ -2,11 +2,13 @@

 require 'rails_helper'
 require 'models/application_model_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Trigger, type: :model do
  subject(:trigger) { create(:trigger, condition: condition, perform: perform) }

  it_behaves_like 'ApplicationModel', can_assets: { selectors: %i[condition perform] }
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :trigger

  describe 'validation' do

--- a/spec/models/webhook_spec.rb
+++ b/spec/models/webhook_spec.rb
@ -1,9 +1,12 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 require 'rails_helper'
+require 'models/concerns/has_xss_sanitized_note_examples'

 RSpec.describe Webhook, type: :model do

+  it_behaves_like 'HasXssSanitizedNote', model_factory: :webhook
+
  describe 'check endpoint' do
    subject(:webhook) { build(:webhook, endpoint: endpoint) }

--- a/spec/requests/text_module_spec.rb
+++ b/spec/requests/text_module_spec.rb
@ -1,7 +1,6 @@
 # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

 require 'rails_helper'
-require 'byebug'

 RSpec.describe 'Text Module', type: :request do