Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #38076 - Sanitize content_view repository_ids param
Browse files Browse the repository at this point in the history
m-bucher authored and quba42 committed Jan 15, 2025
1 parent b316f4c commit 59edaf7
Showing 2 changed files with 6 additions and 3 deletions.
5 changes: 4 additions & 1 deletion app/controllers/katello/api/v2/content_views_controller.rb
Original file line number Diff line number Diff line change
@@ -288,7 +288,10 @@ def view_params
if (!@content_view || !@content_view.composite?)
attrs.push({:repository_ids => []}, :repository_ids)
end
params.require(:content_view).permit(*attrs).to_h
result = params.require(:content_view).permit(*attrs).to_h
# sanitize repository_ids to be a list of integers
result[:repository_ids] = result[:repository_ids].compact.map(&:to_i) if result[:repository_ids].present?
result
end

def find_environment
4 changes: 2 additions & 2 deletions test/controllers/api/v2/content_views_controller_test.rb
Original file line number Diff line number Diff line change
@@ -243,8 +243,8 @@ def test_update_repositories_strings

params = { :repository_ids => [repository.id.to_s] }
assert_sync_task(::Actions::Katello::ContentView::Update) do |_content_view, content_view_params|
assert_equal content_view_params.key?(:repository_ids), true
assert_equal content_view_params[:repository_ids], params[:repository_ids]
assert content_view_params.key?(:repository_ids)
assert_equal [repository.id], content_view_params[:repository_ids]
end
put :update, params: { :id => @library_dev_staging_view.id, :content_view => params }

0 comments on commit 59edaf7

Please sign in to comment.