Maintenance: Add note attribute sanitization to not yet checked models.

This commit is contained in:
Thorsten Eckel 2021-04-12 11:49:26 +02:00
parent 5e4084d908
commit d32ea5e0d3
40 changed files with 106 additions and 4 deletions

View file

@ -1,9 +1,13 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Chat < ApplicationModel
include ChecksHtmlSanitized
validates :name, presence: true
store :preferences
sanitized_html :note
=begin
get the customer state of a chat

View file

@ -1,6 +1,7 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class EmailAddress < ApplicationModel
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasCollectionUpdate
@ -16,6 +17,8 @@ class EmailAddress < ApplicationModel
after_update :update_email_address_id
before_destroy :delete_group_reference
sanitized_html :note
collection_push_permission('ticket.agent')
=begin

View file

@ -4,6 +4,7 @@ class Group < ApplicationModel
include CanBeImported
include HasActivityStreamLog
include ChecksClientNotification
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasHistory
include HasObjectManagerAttributesValidation
@ -16,5 +17,7 @@ class Group < ApplicationModel
validates :name, presence: true
sanitized_html :note
activity_stream_permission 'admin.group'
end

View file

@ -1,4 +1,7 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class History::Object < ApplicationModel
include ChecksHtmlSanitized
sanitized_html :note
end

View file

@ -3,6 +3,7 @@
class Job < ApplicationModel
include ChecksClientNotification
include ChecksConditionValidation
include ChecksHtmlSanitized
include ChecksPerformValidation
include Job::Assets
@ -15,6 +16,8 @@ class Job < ApplicationModel
before_create :updated_matching, :update_next_run_at
before_update :updated_matching, :update_next_run_at
sanitized_html :note
=begin
verify each job if needed to run (e. g. if true and times are matching) and execute it

View file

@ -1,5 +1,9 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Link::Object < ApplicationModel
include ChecksHtmlSanitized
validates :name, presence: true
sanitized_html :note
end

View file

@ -1,5 +1,9 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Link::Type < ApplicationModel
include ChecksHtmlSanitized
validates :name, presence: true
sanitized_html :note
end

View file

@ -2,6 +2,7 @@
class Macro < ApplicationModel
include ChecksClientNotification
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include CanSeed
include HasCollectionUpdate
@ -12,5 +13,7 @@ class Macro < ApplicationModel
has_and_belongs_to_many :groups, after_add: :cache_update, after_remove: :cache_update, class_name: 'Group'
sanitized_html :note
collection_push_permission('ticket.agent')
end

View file

@ -1,4 +1,7 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Notification < ApplicationModel
include ChecksHtmlSanitized
sanitized_html :note
end

View file

@ -2,6 +2,7 @@
class Permission < ApplicationModel
include ChecksClientNotification
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasCollectionUpdate
@ -9,6 +10,8 @@ class Permission < ApplicationModel
validates :name, presence: true
store :preferences
sanitized_html :note
=begin
permissions = Permission.with_parents('some_key.sub_key')

View file

@ -1,6 +1,8 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class PostmasterFilter < ApplicationModel
include ChecksHtmlSanitized
store :perform
store :match
validates :name, presence: true
@ -8,6 +10,8 @@ class PostmasterFilter < ApplicationModel
before_create :validate_condition
before_update :validate_condition
sanitized_html :note
def validate_condition
raise Exceptions::UnprocessableEntity, 'Min. one match rule needed!' if match.blank?

View file

@ -4,6 +4,7 @@ class Role < ApplicationModel
include CanBeImported
include HasActivityStreamLog
include ChecksClientNotification
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasGroups
include HasCollectionUpdate
@ -29,6 +30,8 @@ class Role < ApplicationModel
activity_stream_permission 'admin.role'
sanitized_html :note
=begin
grant permission to role

View file

@ -1,8 +1,12 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Scheduler < ApplicationModel
include ChecksHtmlSanitized
extend ::Mixin::StartFinishLogger
sanitized_html :note
# rubocop:disable Style/ClassVars
@@jobs_started = {}
# rubocop:enable Style/ClassVars

View file

@ -8,7 +8,7 @@ class Signature < ApplicationModel
has_many :groups, after_add: :cache_update, after_remove: :cache_update
validates :name, presence: true
sanitized_html :body
sanitized_html :body, :note
collection_push_permission('ticket.agent')
end

View file

@ -2,6 +2,10 @@
class Store < ApplicationModel
class Object < ApplicationModel
include ChecksHtmlSanitized
validates :name, presence: true
sanitized_html :note
end
end

View file

@ -11,7 +11,7 @@ class TextModule < ApplicationModel
before_create :validate_content
before_update :validate_content
sanitized_html :content
sanitized_html :content, :note
csv_delete_possible true

View file

@ -1,8 +1,11 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Ticket::Article::Sender < ApplicationModel
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasCollectionUpdate
validates :name, presence: true
sanitized_html :note
end

View file

@ -1,8 +1,11 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
class Ticket::Article::Type < ApplicationModel
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasCollectionUpdate
validates :name, presence: true
sanitized_html :note
end

View file

@ -2,6 +2,7 @@
class Ticket::Priority < ApplicationModel
include CanBeImported
include ChecksHtmlSanitized
include HasCollectionUpdate
include HasSearchIndexBackend
@ -12,6 +13,8 @@ class Ticket::Priority < ApplicationModel
after_update :ensure_defaults
after_destroy :ensure_defaults
sanitized_html :note
attr_accessor :callback_loop
def ensure_defaults

View file

@ -2,6 +2,7 @@
class Ticket::State < ApplicationModel
include CanBeImported
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasCollectionUpdate
include HasSearchIndexBackend
@ -15,6 +16,8 @@ class Ticket::State < ApplicationModel
validates :name, presence: true
sanitized_html :note
attr_accessor :callback_loop
=begin

View file

@ -2,9 +2,12 @@
class Ticket::StateType < ApplicationModel
include CanBeImported
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
has_many :states, class_name: 'Ticket::State', inverse_of: :state_type
validates :name, presence: true
sanitized_html :note
end

View file

@ -2,6 +2,7 @@
class Trigger < ApplicationModel
include ChecksConditionValidation
include ChecksHtmlSanitized
include ChecksPerformValidation
include CanSeed
@ -10,4 +11,6 @@ class Trigger < ApplicationModel
store :condition
store :perform
validates :name, presence: true
sanitized_html :note
end

View file

@ -2,6 +2,7 @@
class Webhook < ApplicationModel
include ChecksClientNotification
include ChecksHtmlSanitized
include ChecksLatestChangeObserved
include HasCollectionUpdate
@ -10,6 +11,8 @@ class Webhook < ApplicationModel
validates :name, presence: true
validate :validate_endpoint
sanitized_html :note
private
def validate_endpoint

View file

@ -1,8 +1,10 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
require 'rails_helper'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Chat, type: :model do
it_behaves_like 'HasXssSanitizedNote', model_factory: :chat
describe 'website whitelisting' do
let(:chat) { create(:chat, whitelisted_websites: 'zammad.org') }

View file

@ -2,11 +2,13 @@
require 'rails_helper'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe EmailAddress, type: :model do
subject(:email_address) { create(:email_address) }
it_behaves_like 'HasCollectionUpdate', collection_factory: :email_address
it_behaves_like 'HasXssSanitizedNote', model_factory: :email_address
describe 'Attributes:' do
describe '#active' do

View file

@ -6,6 +6,7 @@ require 'models/concerns/can_be_imported_examples'
require 'models/concerns/has_object_manager_attributes_validation_examples'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_ticket_create_screen_impact_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Group, type: :model do
it_behaves_like 'ApplicationModel'
@ -13,4 +14,5 @@ RSpec.describe Group, type: :model do
it_behaves_like 'HasObjectManagerAttributesValidation'
it_behaves_like 'HasCollectionUpdate', collection_factory: :group
it_behaves_like 'HasTicketCreateScreenImpact', create_screen_factory: :group
it_behaves_like 'HasXssSanitizedNote', model_factory: :group
end

View file

@ -2,11 +2,13 @@
require 'rails_helper'
require 'models/application_model_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Job, type: :model do
subject(:job) { create(:job) }
it_behaves_like 'ApplicationModel', can_assets: { selectors: %i[condition perform] }
it_behaves_like 'HasXssSanitizedNote', model_factory: :job
describe 'Class methods:' do
describe '.run' do

View file

@ -2,7 +2,9 @@
require 'rails_helper'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Macro, type: :model do
it_behaves_like 'HasCollectionUpdate', collection_factory: :macro
it_behaves_like 'HasXssSanitizedNote', model_factory: :macro
end

View file

@ -2,9 +2,11 @@
require 'rails_helper'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Permission, type: :model do
it_behaves_like 'HasCollectionUpdate', collection_factory: :permission
it_behaves_like 'HasXssSanitizedNote', model_factory: :permission
describe '.with_parents' do
context 'when given a simple string (no dots)' do

View file

@ -6,6 +6,7 @@ require 'models/concerns/can_be_imported_examples'
require 'models/concerns/has_groups_examples'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_ticket_create_screen_impact_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Role do
subject(:role) { create(:role) }
@ -15,6 +16,7 @@ RSpec.describe Role do
it_behaves_like 'HasGroups', group_access_factory: :role
it_behaves_like 'HasCollectionUpdate', collection_factory: :role
it_behaves_like 'HasTicketCreateScreenImpact', create_screen_factory: :role
it_behaves_like 'HasXssSanitizedNote', model_factory: :role
describe 'Default state' do
describe 'of whole table:' do

View file

@ -1,10 +1,10 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
require 'rails_helper'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Scheduler do
let(:test_backend_name) { 'SpecSpace::DelayedJobBackend' }
let(:test_backend_class) do
Class.new do
def self.start
@ -22,11 +22,14 @@ RSpec.describe Scheduler do
end
end
end
let(:test_backend_name) { 'SpecSpace::DelayedJobBackend' }
before do
stub_const test_backend_name, test_backend_class
end
it_behaves_like 'HasXssSanitizedNote', model_factory: :scheduler
describe '.failed_jobs' do
it 'does list failed jobs' do

View file

@ -2,7 +2,9 @@
require 'rails_helper'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Signature, type: :model do
it_behaves_like 'HasCollectionUpdate', collection_factory: :signature
it_behaves_like 'HasXssSanitizedNote', model_factory: :signature
end

View file

@ -2,7 +2,9 @@
require 'rails_helper'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Ticket::Article::Sender, type: :model do
it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_article_sender
it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_article_sender
end

View file

@ -2,7 +2,9 @@
require 'rails_helper'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Ticket::Article::Type, type: :model do
it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_article_type
it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_article_type
end

View file

@ -4,11 +4,13 @@ require 'rails_helper'
require 'models/application_model_examples'
require 'models/concerns/can_be_imported_examples'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Ticket::Priority, type: :model do
it_behaves_like 'ApplicationModel'
it_behaves_like 'CanBeImported'
it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_priority
it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_priority
describe 'Default state' do
describe 'of whole table:' do

View file

@ -4,11 +4,13 @@ require 'rails_helper'
require 'models/application_model_examples'
require 'models/concerns/can_be_imported_examples'
require 'models/concerns/has_collection_update_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Ticket::State, type: :model do
it_behaves_like 'ApplicationModel'
it_behaves_like 'CanBeImported'
it_behaves_like 'HasCollectionUpdate', collection_factory: :ticket_state
it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket_state
describe 'Default state' do
describe 'of whole table:' do

View file

@ -3,8 +3,10 @@
require 'rails_helper'
require 'models/application_model_examples'
require 'models/concerns/can_be_imported_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Ticket::StateType, type: :model do
it_behaves_like 'ApplicationModel'
it_behaves_like 'CanBeImported'
it_behaves_like 'HasXssSanitizedNote', model_factory: :'ticket/state_type'
end

View file

@ -2,11 +2,13 @@
require 'rails_helper'
require 'models/application_model_examples'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Trigger, type: :model do
subject(:trigger) { create(:trigger, condition: condition, perform: perform) }
it_behaves_like 'ApplicationModel', can_assets: { selectors: %i[condition perform] }
it_behaves_like 'HasXssSanitizedNote', model_factory: :trigger
describe 'validation' do

View file

@ -1,9 +1,12 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
require 'rails_helper'
require 'models/concerns/has_xss_sanitized_note_examples'
RSpec.describe Webhook, type: :model do
it_behaves_like 'HasXssSanitizedNote', model_factory: :webhook
describe 'check endpoint' do
subject(:webhook) { build(:webhook, endpoint: endpoint) }

View file

@ -1,7 +1,6 @@
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
require 'rails_helper'
require 'byebug'
RSpec.describe 'Text Module', type: :request do