diff --git a/Gemfile b/Gemfile index e91c3ae..ddc27ed 100644 --- a/Gemfile +++ b/Gemfile @@ -39,6 +39,7 @@ gem 'jbuilder', '~> 2.5' # Use Capistrano for deployment # gem 'capistrano-rails', group: :development +gem 'rack-attack' group :development, :test do gem 'rspec-rails' @@ -48,13 +49,15 @@ end group :development do gem 'faker' + gem 'brakeman' + gem 'bundler-audit' # Access an IRB console on exception pages or by using <%= console %> anywhere in the code. gem 'web-console', '>= 3.3.0' gem 'listen', '~> 3.0.5' # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring - gem 'spring' - gem 'spring-watcher-listen', '~> 2.0.0' + # gem 'spring' + # gem 'spring-watcher-listen', '~> 2.0.0' end # Windows does not include zoneinfo files, so bundle the tzinfo-data gem diff --git a/Gemfile.lock b/Gemfile.lock index 30c443b..c5d1fc0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -46,7 +46,11 @@ GEM bootstrap-sass (3.3.7) autoprefixer-rails (>= 5.2.1) sass (>= 3.3.4) + brakeman (4.0.1) builder (3.2.3) + bundler-audit (0.6.0) + bundler (~> 1.2) + thor (~> 0.18) byebug (9.0.6) coffee-rails (4.2.1) coffee-script (>= 2.2.0) @@ -89,15 +93,17 @@ GEM mime-types (3.1) mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) - mini_portile2 (2.1.0) + mini_portile2 (2.3.0) minitest (5.10.1) multi_json (1.12.1) nio4r (2.0.0) - nokogiri (1.7.1) - mini_portile2 (~> 2.1.0) + nokogiri (1.8.1) + mini_portile2 (~> 2.3.0) orm_adapter (0.5.0) puma (3.8.2) rack (2.0.1) + rack-attack (5.0.1) + rack rack-test (0.6.3) rack (>= 1.0) rails (5.0.2) @@ -153,11 +159,6 @@ GEM sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) tilt (>= 1.1, < 3) - spring (2.0.1) - activesupport (>= 4.2) - spring-watcher-listen (2.0.1) - listen (>= 2.7, < 4.0) - spring (>= 1.2, < 3.0) sprockets (3.7.1) concurrent-ruby (~> 1.0) rack (> 1, < 3) @@ -192,6 +193,8 @@ PLATFORMS DEPENDENCIES bootstrap-sass + brakeman + bundler-audit byebug coffee-rails (~> 4.2) devise @@ -200,11 +203,10 @@ DEPENDENCIES jquery-rails listen (~> 3.0.5) puma (~> 3.0) + rack-attack rails (~> 5.0.2) rspec-rails sass-rails (~> 5.0) - spring - spring-watcher-listen (~> 2.0.0) sqlite3 turbolinks (~> 5) tzinfo-data @@ -212,4 +214,4 @@ DEPENDENCIES web-console (>= 3.3.0) BUNDLED WITH - 1.14.6 + 1.16.0.pre.2 diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 682a07d..b9b7409 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,6 +1,7 @@ class ApplicationController < ActionController::Base # protect_from_forgery with: :exception + protect_from_forgery with: :exception helper_method :current_cart diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb index 245dece..8f28b01 100644 --- a/app/controllers/events_controller.rb +++ b/app/controllers/events_controller.rb @@ -9,10 +9,10 @@ def show @comments = @event.comments if params[:keyword] - @comments = @comments.where( "comments.content LIKE '%#{params[:keyword]}%'") + @comments = @comments.where( "comments.content LIKE ?", "%#{params[:keyword]}%") end - if params[:sort] + if params[:sort] && ["id DESC", "id ASC"].include?(params[:sort]) @comments = @comments.order(params[:sort]) end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index f1d232d..fd6cac4 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -21,7 +21,7 @@ def update protected def user_params - params.require(:user).permit(:nickname, :role) + params.require(:user).permit(:nickname) end end diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb index ed49051..1d62a20 100644 --- a/app/helpers/users_helper.rb +++ b/app/helpers/users_helper.rb @@ -7,9 +7,7 @@ def user_avatar_link(user) email_md5 = Digest::MD5.hexdigest(user.email) gravatar_url = "https://www.gravatar.com/avatar/#{email_md5}" - str = "
" + link_to(image_tag(gravatar_url), user_path(user)) + " " + user.display_name + "
" - - str.html_safe + "
".html_safe + link_to(image_tag(gravatar_url), user_path(user)) + " " + user.display_name + "
".html_safe end end diff --git a/app/views/events/show.html.erb b/app/views/events/show.html.erb index 0e89067..2996fec 100644 --- a/app/views/events/show.html.erb +++ b/app/views/events/show.html.erb @@ -22,14 +22,14 @@
- <%= raw comment.content %> + <%= sanitize comment.content %>
<%= comment.created_at.to_s %> <% if current_user && current_user.is_admin? %> - <%= link_to "Highligh", highlight_event_comment_path(@event, comment), :class => "btn btn-default" %> + <%= link_to "Highligh", highlight_event_comment_path(@event, comment), :method => :post, :class => "btn btn-default" %> <% end %> <% if comment.can_deleted_by(current_user) %> @@ -50,4 +50,4 @@
<%= f.submit "Comment", :class => "btn btn-primary" %>
-<% end %> \ No newline at end of file +<% end %> diff --git a/config/application.rb b/config/application.rb index 2d9ee51..817beb7 100644 --- a/config/application.rb +++ b/config/application.rb @@ -5,15 +5,14 @@ # Require the gems listed in Gemfile, including any gems # you've limited to :test, :development, or :production. Bundler.require(*Rails.groups) - module RailsRecipes class Application < Rails::Application # Settings in config/environments/* take precedence over those specified here. # Application configuration should go into files in config/initializers # -- all .rb files in that directory are automatically loaded. config.time_zone = "Beijing" - + config.middleware.use Rack::Attack end end -Time::DATE_FORMATS.merge!(:default => '%Y/%m/%d %I:%M %p', :ymd => '%Y/%m/%d') \ No newline at end of file +Time::DATE_FORMATS.merge!(:default => '%Y/%m/%d %I:%M %p', :ymd => '%Y/%m/%d') diff --git a/config/initializers/rack-attack.rb b/config/initializers/rack-attack.rb new file mode 100644 index 0000000..61a40b9 --- /dev/null +++ b/config/initializers/rack-attack.rb @@ -0,0 +1,59 @@ +class Rack::Attack + + throttle('req/ip', :limit => 180, :period => 1.minutes) do |req| + req.ip + end + + ### Prevent Brute-Force Login Attacks ### + + + # The most common brute-force login attack is a brute-force password + + # attack where an attacker simply tries a large number of emails and + + # passwords to see if any credentials match. + + # + + # Another common method of attack is to use a swarm of computers with + + # different IPs to try brute-forcing a password for a specific account. + + + # Throttle POST requests to /login by IP address + + # + + # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}" + + throttle('logins/ip', :limit => 5, :period => 20.seconds) do |req| + if req.path == '/users/sign_in' && req.post? + req.ip + end + end + + # Throttle POST requests to /login by email param + + # + + # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{req.email}" + + # + + # Note: This creates a problem where a malicious user could intentionally + + # throttle logins for another user and force their login requests to be + + # denied, but that's not very common and shouldn't happen to you. (Knock + + # on wood!) + + throttle("logins/email", :limit => 5, :period => 20.seconds) do |req| + if req.path == '/users/sign_in' && req.post? + # return the email if present, nil otherwise + + req.params['email'].presence + end + end + +end diff --git a/config/routes.rb b/config/routes.rb index 2cfd938..a5ccf3e 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -7,7 +7,7 @@ resources :events do resources :comments do member do - get :highlight + post :highlight end end end