diff --git a/app/models/chat.rb b/app/models/chat.rb index 99cb33b70..bd93d766f 100644 --- a/app/models/chat.rb +++ b/app/models/chat.rb @@ -1,9 +1,13 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Chat < ApplicationModel + include ChecksHtmlSanitized + validates :name, presence: true store :preferences + sanitized_html :note + =begin get the customer state of a chat diff --git a/app/models/email_address.rb b/app/models/email_address.rb index 9fa4a32a8..fec6edd7f 100644 --- a/app/models/email_address.rb +++ b/app/models/email_address.rb @@ -1,6 +1,7 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class EmailAddress < ApplicationModel + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasCollectionUpdate @@ -16,6 +17,8 @@ class EmailAddress < ApplicationModel after_update :update_email_address_id before_destroy :delete_group_reference + sanitized_html :note + collection_push_permission('ticket.agent') =begin diff --git a/app/models/group.rb b/app/models/group.rb index c11d72ce7..2b94ad01d 100644 --- a/app/models/group.rb +++ b/app/models/group.rb @@ -4,6 +4,7 @@ class Group < ApplicationModel include CanBeImported include HasActivityStreamLog include ChecksClientNotification + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasHistory include HasObjectManagerAttributesValidation @@ -16,5 +17,7 @@ class Group < ApplicationModel validates :name, presence: true + sanitized_html :note + activity_stream_permission 'admin.group' end diff --git a/app/models/history/object.rb b/app/models/history/object.rb index f29cee2c5..1c035148c 100644 --- a/app/models/history/object.rb +++ b/app/models/history/object.rb @@ -1,4 +1,7 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class History::Object < ApplicationModel + include ChecksHtmlSanitized + + sanitized_html :note end diff --git a/app/models/job.rb b/app/models/job.rb index 107717b25..f73261564 100644 --- a/app/models/job.rb +++ b/app/models/job.rb @@ -3,6 +3,7 @@ class Job < ApplicationModel include ChecksClientNotification include ChecksConditionValidation + include ChecksHtmlSanitized include ChecksPerformValidation include Job::Assets @@ -15,6 +16,8 @@ class Job < ApplicationModel before_create :updated_matching, :update_next_run_at before_update :updated_matching, :update_next_run_at + sanitized_html :note + =begin verify each job if needed to run (e. g. if true and times are matching) and execute it diff --git a/app/models/link/object.rb b/app/models/link/object.rb index 3add3679b..058e48175 100644 --- a/app/models/link/object.rb +++ b/app/models/link/object.rb @@ -1,5 +1,9 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Link::Object < ApplicationModel + include ChecksHtmlSanitized + validates :name, presence: true + + sanitized_html :note end diff --git a/app/models/link/type.rb b/app/models/link/type.rb index bd28981bb..179da7843 100644 --- a/app/models/link/type.rb +++ b/app/models/link/type.rb @@ -1,5 +1,9 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Link::Type < ApplicationModel + include ChecksHtmlSanitized + validates :name, presence: true + + sanitized_html :note end diff --git a/app/models/macro.rb b/app/models/macro.rb index 5b8334262..55470582a 100644 --- a/app/models/macro.rb +++ b/app/models/macro.rb @@ -2,6 +2,7 @@ class Macro < ApplicationModel include ChecksClientNotification + include ChecksHtmlSanitized include ChecksLatestChangeObserved include CanSeed include HasCollectionUpdate @@ -12,5 +13,7 @@ class Macro < ApplicationModel has_and_belongs_to_many :groups, after_add: :cache_update, after_remove: :cache_update, class_name: 'Group' + sanitized_html :note + collection_push_permission('ticket.agent') end diff --git a/app/models/notification.rb b/app/models/notification.rb index dd3fe9ebc..8da9d139c 100644 --- a/app/models/notification.rb +++ b/app/models/notification.rb @@ -1,4 +1,7 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Notification < ApplicationModel + include ChecksHtmlSanitized + + sanitized_html :note end diff --git a/app/models/permission.rb b/app/models/permission.rb index 90061bf86..6d1a42506 100644 --- a/app/models/permission.rb +++ b/app/models/permission.rb @@ -2,6 +2,7 @@ class Permission < ApplicationModel include ChecksClientNotification + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasCollectionUpdate @@ -9,6 +10,8 @@ class Permission < ApplicationModel validates :name, presence: true store :preferences + sanitized_html :note + =begin permissions = Permission.with_parents('some_key.sub_key') diff --git a/app/models/postmaster_filter.rb b/app/models/postmaster_filter.rb index 4f3464b2e..05ef7344b 100644 --- a/app/models/postmaster_filter.rb +++ b/app/models/postmaster_filter.rb @@ -1,6 +1,8 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class PostmasterFilter < ApplicationModel + include ChecksHtmlSanitized + store :perform store :match validates :name, presence: true @@ -8,6 +10,8 @@ class PostmasterFilter < ApplicationModel before_create :validate_condition before_update :validate_condition + sanitized_html :note + def validate_condition raise Exceptions::UnprocessableEntity, 'Min. one match rule needed!' if match.blank? diff --git a/app/models/role.rb b/app/models/role.rb index 240102db1..846fb4890 100644 --- a/app/models/role.rb +++ b/app/models/role.rb @@ -4,6 +4,7 @@ class Role < ApplicationModel include CanBeImported include HasActivityStreamLog include ChecksClientNotification + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasGroups include HasCollectionUpdate @@ -29,6 +30,8 @@ class Role < ApplicationModel activity_stream_permission 'admin.role' + sanitized_html :note + =begin grant permission to role diff --git a/app/models/scheduler.rb b/app/models/scheduler.rb index eaa552e42..eaa43ac0e 100644 --- a/app/models/scheduler.rb +++ b/app/models/scheduler.rb @@ -1,8 +1,12 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Scheduler < ApplicationModel + include ChecksHtmlSanitized + extend ::Mixin::StartFinishLogger + sanitized_html :note + # rubocop:disable Style/ClassVars @@jobs_started = {} # rubocop:enable Style/ClassVars diff --git a/app/models/signature.rb b/app/models/signature.rb index c5b60d6a4..c9ee78898 100644 --- a/app/models/signature.rb +++ b/app/models/signature.rb @@ -8,7 +8,7 @@ class Signature < ApplicationModel has_many :groups, after_add: :cache_update, after_remove: :cache_update validates :name, presence: true - sanitized_html :body + sanitized_html :body, :note collection_push_permission('ticket.agent') end diff --git a/app/models/store/object.rb b/app/models/store/object.rb index 169a0cc49..65630f940 100644 --- a/app/models/store/object.rb +++ b/app/models/store/object.rb @@ -2,6 +2,10 @@ class Store < ApplicationModel class Object < ApplicationModel + include ChecksHtmlSanitized + validates :name, presence: true + + sanitized_html :note end end diff --git a/app/models/text_module.rb b/app/models/text_module.rb index 21f05ef49..d2bc7563a 100644 --- a/app/models/text_module.rb +++ b/app/models/text_module.rb @@ -11,7 +11,7 @@ class TextModule < ApplicationModel before_create :validate_content before_update :validate_content - sanitized_html :content + sanitized_html :content, :note csv_delete_possible true diff --git a/app/models/ticket/article/sender.rb b/app/models/ticket/article/sender.rb index 45084e422..c463dafed 100644 --- a/app/models/ticket/article/sender.rb +++ b/app/models/ticket/article/sender.rb @@ -1,8 +1,11 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Ticket::Article::Sender < ApplicationModel + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasCollectionUpdate validates :name, presence: true + + sanitized_html :note end diff --git a/app/models/ticket/article/type.rb b/app/models/ticket/article/type.rb index 1de7c8087..2123ade5e 100644 --- a/app/models/ticket/article/type.rb +++ b/app/models/ticket/article/type.rb @@ -1,8 +1,11 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ class Ticket::Article::Type < ApplicationModel + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasCollectionUpdate validates :name, presence: true + + sanitized_html :note end diff --git a/app/models/ticket/priority.rb b/app/models/ticket/priority.rb index 5ee13bb6c..f1eb027c8 100644 --- a/app/models/ticket/priority.rb +++ b/app/models/ticket/priority.rb @@ -2,6 +2,7 @@ class Ticket::Priority < ApplicationModel include CanBeImported + include ChecksHtmlSanitized include HasCollectionUpdate include HasSearchIndexBackend @@ -12,6 +13,8 @@ class Ticket::Priority < ApplicationModel after_update :ensure_defaults after_destroy :ensure_defaults + sanitized_html :note + attr_accessor :callback_loop def ensure_defaults diff --git a/app/models/ticket/state.rb b/app/models/ticket/state.rb index 455789c44..eae388b29 100644 --- a/app/models/ticket/state.rb +++ b/app/models/ticket/state.rb @@ -2,6 +2,7 @@ class Ticket::State < ApplicationModel include CanBeImported + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasCollectionUpdate include HasSearchIndexBackend @@ -15,6 +16,8 @@ class Ticket::State < ApplicationModel validates :name, presence: true + sanitized_html :note + attr_accessor :callback_loop =begin diff --git a/app/models/ticket/state_type.rb b/app/models/ticket/state_type.rb index 4e4e54a72..95430d94c 100644 --- a/app/models/ticket/state_type.rb +++ b/app/models/ticket/state_type.rb @@ -2,9 +2,12 @@ class Ticket::StateType < ApplicationModel include CanBeImported + include ChecksHtmlSanitized include ChecksLatestChangeObserved has_many :states, class_name: 'Ticket::State', inverse_of: :state_type validates :name, presence: true + + sanitized_html :note end diff --git a/app/models/trigger.rb b/app/models/trigger.rb index 2bbecd016..921a14bb3 100644 --- a/app/models/trigger.rb +++ b/app/models/trigger.rb @@ -2,6 +2,7 @@ class Trigger < ApplicationModel include ChecksConditionValidation + include ChecksHtmlSanitized include ChecksPerformValidation include CanSeed @@ -10,4 +11,6 @@ class Trigger < ApplicationModel store :condition store :perform validates :name, presence: true + + sanitized_html :note end diff --git a/app/models/webhook.rb b/app/models/webhook.rb index e7c552d83..01555c681 100644 --- a/app/models/webhook.rb +++ b/app/models/webhook.rb @@ -2,6 +2,7 @@ class Webhook < ApplicationModel include ChecksClientNotification + include ChecksHtmlSanitized include ChecksLatestChangeObserved include HasCollectionUpdate @@ -10,6 +11,8 @@ class Webhook < ApplicationModel validates :name, presence: true validate :validate_endpoint + sanitized_html :note + private def validate_endpoint diff --git a/spec/models/chat_spec.rb b/spec/models/chat_spec.rb index 2f87d80ce..984d3a5e0 100644 --- a/spec/models/chat_spec.rb +++ b/spec/models/chat_spec.rb @@ -1,8 +1,10 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ require 'rails_helper' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Chat, type: :model do + it_behaves_like 'HasXssSanitizedNote', model_factory: :chat describe 'website whitelisting' do let(:chat) { create(:chat, whitelisted_websites: 'zammad.org') } diff --git a/spec/models/email_address_spec.rb b/spec/models/email_address_spec.rb index 6b134c45e..4b51e7295 100644 --- a/spec/models/email_address_spec.rb +++ b/spec/models/email_address_spec.rb @@ -2,11 +2,13 @@ require 'rails_helper' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe EmailAddress, type: :model do subject(:email_address) { create(:email_address) } it_behaves_like 'HasCollectionUpdate', collection_factory: :email_address + it_behaves_like 'HasXssSanitizedNote', model_factory: :email_address describe 'Attributes:' do describe '#active' do diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index 65d6fc04a..96d4d355c 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -6,6 +6,7 @@ require 'models/concerns/can_be_imported_examples' require 'models/concerns/has_object_manager_attributes_validation_examples' require 'models/concerns/has_collection_update_examples' require 'models/concerns/has_ticket_create_screen_impact_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Group, type: :model do it_behaves_like 'ApplicationModel' @@ -13,4 +14,5 @@ RSpec.describe Group, type: :model do it_behaves_like 'HasObjectManagerAttributesValidation' it_behaves_like 'HasCollectionUpdate', collection_factory: :group it_behaves_like 'HasTicketCreateScreenImpact', create_screen_factory: :group + it_behaves_like 'HasXssSanitizedNote', model_factory: :group end diff --git a/spec/models/job_spec.rb b/spec/models/job_spec.rb index 583778198..f0d18cb62 100644 --- a/spec/models/job_spec.rb +++ b/spec/models/job_spec.rb @@ -2,11 +2,13 @@ require 'rails_helper' require 'models/application_model_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Job, type: :model do subject(:job) { create(:job) } it_behaves_like 'ApplicationModel', can_assets: { selectors: %i[condition perform] } + it_behaves_like 'HasXssSanitizedNote', model_factory: :job describe 'Class methods:' do describe '.run' do diff --git a/spec/models/macro_spec.rb b/spec/models/macro_spec.rb index 378323b77..90939614a 100644 --- a/spec/models/macro_spec.rb +++ b/spec/models/macro_spec.rb @@ -2,7 +2,9 @@ require 'rails_helper' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Macro, type: :model do it_behaves_like 'HasCollectionUpdate', collection_factory: :macro + it_behaves_like 'HasXssSanitizedNote', model_factory: :macro end diff --git a/spec/models/permission_spec.rb b/spec/models/permission_spec.rb index 4a6437f03..0d87df1a5 100644 --- a/spec/models/permission_spec.rb +++ b/spec/models/permission_spec.rb @@ -2,9 +2,11 @@ require 'rails_helper' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Permission, type: :model do it_behaves_like 'HasCollectionUpdate', collection_factory: :permission + it_behaves_like 'HasXssSanitizedNote', model_factory: :permission describe '.with_parents' do context 'when given a simple string (no dots)' do diff --git a/spec/models/role_spec.rb b/spec/models/role_spec.rb index 1fa1e6f1a..d5a67cf83 100644 --- a/spec/models/role_spec.rb +++ b/spec/models/role_spec.rb @@ -6,6 +6,7 @@ require 'models/concerns/can_be_imported_examples' require 'models/concerns/has_groups_examples' require 'models/concerns/has_collection_update_examples' require 'models/concerns/has_ticket_create_screen_impact_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Role do subject(:role) { create(:role) } @@ -15,6 +16,7 @@ RSpec.describe Role do it_behaves_like 'HasGroups', group_access_factory: :role it_behaves_like 'HasCollectionUpdate', collection_factory: :role it_behaves_like 'HasTicketCreateScreenImpact', create_screen_factory: :role + it_behaves_like 'HasXssSanitizedNote', model_factory: :role describe 'Default state' do describe 'of whole table:' do diff --git a/spec/models/scheduler_spec.rb b/spec/models/scheduler_spec.rb index 1b7a130cb..f385e0a59 100644 --- a/spec/models/scheduler_spec.rb +++ b/spec/models/scheduler_spec.rb @@ -1,10 +1,10 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ require 'rails_helper' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Scheduler do - let(:test_backend_name) { 'SpecSpace::DelayedJobBackend' } let(:test_backend_class) do Class.new do def self.start @@ -22,11 +22,14 @@ RSpec.describe Scheduler do end end end + let(:test_backend_name) { 'SpecSpace::DelayedJobBackend' } before do stub_const test_backend_name, test_backend_class end + it_behaves_like 'HasXssSanitizedNote', model_factory: :scheduler + describe '.failed_jobs' do it 'does list failed jobs' do diff --git a/spec/models/signature_spec.rb b/spec/models/signature_spec.rb index a454bb2e9..eee2716a6 100644 --- a/spec/models/signature_spec.rb +++ b/spec/models/signature_spec.rb @@ -2,7 +2,9 @@ require 'rails_helper' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Signature, type: :model do it_behaves_like 'HasCollectionUpdate', collection_factory: :signature + it_behaves_like 'HasXssSanitizedNote', model_factory: :signature end diff --git a/spec/models/ticket/article/sender_spec.rb b/spec/models/ticket/article/sender_spec.rb index 2dad115bf..ebb28401e 100644 --- a/spec/models/ticket/article/sender_spec.rb +++ b/spec/models/ticket/article/sender_spec.rb @@ -2,7 +2,9 @@ require 'rails_helper' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Ticket::Article::Sender, type: :model do it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_article_sender + it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_article_sender end diff --git a/spec/models/ticket/article/type_spec.rb b/spec/models/ticket/article/type_spec.rb index a3d3a848b..ad6c8f263 100644 --- a/spec/models/ticket/article/type_spec.rb +++ b/spec/models/ticket/article/type_spec.rb @@ -2,7 +2,9 @@ require 'rails_helper' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Ticket::Article::Type, type: :model do it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_article_type + it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_article_type end diff --git a/spec/models/ticket/priority_spec.rb b/spec/models/ticket/priority_spec.rb index 31e9c0f56..2a9e44482 100644 --- a/spec/models/ticket/priority_spec.rb +++ b/spec/models/ticket/priority_spec.rb @@ -4,11 +4,13 @@ require 'rails_helper' require 'models/application_model_examples' require 'models/concerns/can_be_imported_examples' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Ticket::Priority, type: :model do it_behaves_like 'ApplicationModel' it_behaves_like 'CanBeImported' it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_priority + it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_priority describe 'Default state' do describe 'of whole table:' do diff --git a/spec/models/ticket/state_spec.rb b/spec/models/ticket/state_spec.rb index 43cf4ab73..dfc1df5a6 100644 --- a/spec/models/ticket/state_spec.rb +++ b/spec/models/ticket/state_spec.rb @@ -4,11 +4,13 @@ require 'rails_helper' require 'models/application_model_examples' require 'models/concerns/can_be_imported_examples' require 'models/concerns/has_collection_update_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Ticket::State, type: :model do it_behaves_like 'ApplicationModel' it_behaves_like 'CanBeImported' it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_state + it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_state describe 'Default state' do describe 'of whole table:' do diff --git a/spec/models/ticket/state_type_spec.rb b/spec/models/ticket/state_type_spec.rb index 8dfb15e35..464567b0c 100644 --- a/spec/models/ticket/state_type_spec.rb +++ b/spec/models/ticket/state_type_spec.rb @@ -3,8 +3,10 @@ require 'rails_helper' require 'models/application_model_examples' require 'models/concerns/can_be_imported_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Ticket::StateType, type: :model do it_behaves_like 'ApplicationModel' it_behaves_like 'CanBeImported' + it_behaves_like 'HasXssSanitizedNote', model_factory: :'ticket/state_type' end diff --git a/spec/models/trigger_spec.rb b/spec/models/trigger_spec.rb index babae3d2d..8caa52494 100644 --- a/spec/models/trigger_spec.rb +++ b/spec/models/trigger_spec.rb @@ -2,11 +2,13 @@ require 'rails_helper' require 'models/application_model_examples' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Trigger, type: :model do subject(:trigger) { create(:trigger, condition: condition, perform: perform) } it_behaves_like 'ApplicationModel', can_assets: { selectors: %i[condition perform] } + it_behaves_like 'HasXssSanitizedNote', model_factory: :trigger describe 'validation' do diff --git a/spec/models/webhook_spec.rb b/spec/models/webhook_spec.rb index 58f0d650b..6a0b57259 100644 --- a/spec/models/webhook_spec.rb +++ b/spec/models/webhook_spec.rb @@ -1,9 +1,12 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ require 'rails_helper' +require 'models/concerns/has_xss_sanitized_note_examples' RSpec.describe Webhook, type: :model do + it_behaves_like 'HasXssSanitizedNote', model_factory: :webhook + describe 'check endpoint' do subject(:webhook) { build(:webhook, endpoint: endpoint) } diff --git a/spec/requests/text_module_spec.rb b/spec/requests/text_module_spec.rb index 6c0aed4d4..1b2e5e3f4 100644 --- a/spec/requests/text_module_spec.rb +++ b/spec/requests/text_module_spec.rb @@ -1,7 +1,6 @@ # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/ require 'rails_helper' -require 'byebug' RSpec.describe 'Text Module', type: :request do