finish

Gemfile

@@ -37,6 +37,8 @@ gem 'jbuilder', '~> 2.5'
 # Use ActiveModel has_secure_password
 # gem 'bcrypt', '~> 3.1.7'
 
+gem 'rack-attack'
+
 # Use Capistrano for deployment
 # gem 'capistrano-rails', group: :development
 
@@ -48,7 +50,8 @@ end
 
 group :development do
   gem 'faker'
-
+  gem 'brakeman'
+  gem 'bundler-audit'
   # Access an IRB console on exception pages or by using <%= console %> anywhere in the code.
   gem 'web-console', '>= 3.3.0'
   gem 'listen', '~> 3.0.5'

Gemfile.lock

@@ -46,7 +46,11 @@ GEM
     bootstrap-sass (3.3.7)
       autoprefixer-rails (>= 5.2.1)
       sass (>= 3.3.4)
+    brakeman (3.7.0)
     builder (3.2.3)
+    bundler-audit (0.6.0)
+      bundler (~> 1.2)
+      thor (~> 0.18)
     byebug (9.0.6)
     coffee-rails (4.2.1)
       coffee-script (>= 2.2.0)
@@ -89,15 +93,17 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.2.0)
     minitest (5.10.1)
     multi_json (1.12.1)
     nio4r (2.0.0)
-    nokogiri (1.7.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.8.0)
+      mini_portile2 (~> 2.2.0)
     orm_adapter (0.5.0)
     puma (3.8.2)
     rack (2.0.1)
+    rack-attack (5.0.1)
+      rack
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (5.0.2)
@@ -192,6 +198,8 @@ PLATFORMS
 
 DEPENDENCIES
   bootstrap-sass
+  brakeman
+  bundler-audit
   byebug
   coffee-rails (~> 4.2)
   devise
@@ -200,6 +208,7 @@ DEPENDENCIES
   jquery-rails
   listen (~> 3.0.5)
   puma (~> 3.0)
+  rack-attack
   rails (~> 5.0.2)
   rspec-rails
   sass-rails (~> 5.0)
@@ -212,4 +221,4 @@ DEPENDENCIES
   web-console (>= 3.3.0)
 
 BUNDLED WITH
-   1.14.6
+   1.15.3

app/controllers/application_controller.rb

@@ -1,6 +1,6 @@
 class ApplicationController < ActionController::Base
 
-  # protect_from_forgery with: :exception
+  protect_from_forgery with: :exception
 
   helper_method :current_cart
 

app/controllers/events_controller.rb

@@ -9,10 +9,11 @@ def show
     @comments = @event.comments
 
     if params[:keyword]
-      @comments = @comments.where( "comments.content LIKE '%#{params[:keyword]}%'")
+      keyword = ActiveRecord::Base::connection.quote_string( params[:keyword] )
+      @comments = @comments.where( "comments.content LIKE ?", "%#{params[:keyword]}%")
     end
 
-    if params[:sort]
+    if params[:sort] && ["id DESC", "id ASC"].include?(params[:sort])
       @comments = @comments.order(params[:sort])
     end
 

app/controllers/users_controller.rb

@@ -21,7 +21,7 @@ def update
   protected
 
   def user_params
-    params.require(:user).permit(:nickname, :role)
+    params.require(:user).permit(:nickname)
   end
 
 end

app/helpers/users_helper.rb

@@ -7,9 +7,10 @@ def user_avatar_link(user)
     email_md5 = Digest::MD5.hexdigest(user.email)
     gravatar_url = "https://www.gravatar.com/avatar/#{email_md5}"
 
-    str = "<div class ='user-link'>" + link_to(image_tag(gravatar_url), user_path(user)) + " " + user.display_name + "</div>"
 
-    str.html_safe
+    content_tag(:div,
+      link_to(image_tag(gravatar_url), user_path(user)) + " " + user.display_name ,
+      :class => "user-link" )
   end
 
 end

app/views/events/show.html.erb

@@ -22,14 +22,14 @@
     </div>
 
     <div class="panel-body">
-      <%= raw comment.content %>
+      <%= sanitize comment.content %>
     </div>
 
     <div class="panel-footer text-right">
       <%= comment.created_at.to_s %>
 
       <% if current_user && current_user.is_admin? %>
-        <%= link_to "Highligh", highlight_event_comment_path(@event, comment), :class => "btn btn-default" %>
+        <%= link_to "Highligh", highlight_event_comment_path(@event, comment), :method => :post, :class => "btn btn-default" %>
       <% end %>
 
       <% if comment.can_deleted_by(current_user) %>
@@ -50,4 +50,4 @@
   <div class="form-group">
     <%= f.submit "Comment", :class => "btn btn-primary" %>
   </div>
-<% end %>
+<% end %>

config/application.rb

@@ -12,8 +12,9 @@ class Application < Rails::Application
     # Application configuration should go into files in config/initializers
     # -- all .rb files in that directory are automatically loaded.
     config.time_zone = "Beijing"
+    config.middleware.use Rack::Attack
 
   end
 end
 
-Time::DATE_FORMATS.merge!(:default => '%Y/%m/%d %I:%M %p', :ymd => '%Y/%m/%d')
+Time::DATE_FORMATS.merge!(:default => '%Y/%m/%d %I:%M %p', :ymd => '%Y/%m/%d')

config/initializers/rack-attack.rb

@@ -0,0 +1,59 @@
+class Rack::Attack
+
+  throttle('req/ip', :limit => 180, :period => 1.minutes) do |req|
+    req.ip
+  end
+
+  ### Prevent Brute-Force Login Attacks ###
+
+
+  # The most common brute-force login attack is a brute-force password
+
+  # attack where an attacker simply tries a large number of emails and
+
+  # passwords to see if any credentials match.
+
+  #
+
+  # Another common method of attack is to use a swarm of computers with
+
+  # different IPs to try brute-forcing a password for a specific account.
+
+
+  # Throttle POST requests to /login by IP address
+
+  #
+
+  # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}"
+
+  throttle('logins/ip', :limit => 5, :period => 20.seconds) do |req|
+    if req.path == '/users/sign_in' && req.post?
+      req.ip
+    end
+  end
+
+  # Throttle POST requests to /login by email param
+
+  #
+
+  # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{req.email}"
+
+  #
+
+  # Note: This creates a problem where a malicious user could intentionally
+
+  # throttle logins for another user and force their login requests to be
+
+  # denied, but that's not very common and shouldn't happen to you. (Knock
+
+  # on wood!)
+
+  throttle("logins/email", :limit => 5, :period => 20.seconds) do |req|
+    if req.path == '/users/sign_in' && req.post?
+      # return the email if present, nil otherwise
+
+      req.params['email'].presence
+    end
+  end
+
+end

config/routes.rb

@@ -7,7 +7,7 @@
   resources :events do
     resources :comments do
       member do
-        get :highlight
+        post :highlight
       end
     end
   end