whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@apache.org
Subject [whimsy] branch master updated: Add user validation
Date Tue, 06 Oct 2020 16:40:12 GMT
This is an automated email from the ASF dual-hosted git repository.

sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new 051dea5  Add user validation
051dea5 is described below

commit 051dea52da1a1a5ec3b8ad2baf755286d6ba34c7
Author: Sebb <sebb@apache.org>
AuthorDate: Tue Oct 6 17:40:03 2020 +0100

    Add user validation
---
 www/board/agenda/models/pending.rb            | 5 ++++-
 www/board/agenda/views/actions/commit.json.rb | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/www/board/agenda/models/pending.rb b/www/board/agenda/models/pending.rb
index f2b5b50..0422f07 100644
--- a/www/board/agenda/models/pending.rb
+++ b/www/board/agenda/models/pending.rb
@@ -1,7 +1,10 @@
 class Pending
   # determine the name of the work file associated with a given user
   def self.work_file(user)
-    "#{AGENDA_WORK}/#{user}.yml".untaint if user =~ /\A\w+\z/
+    # user ids may include '-'
+    raise ArgumentError, "Unexpected user id #{user}" unless user =~ /\A[-\w]+\z/
+
+    "#{AGENDA_WORK}/#{user}.yml"
   end
 
   # fetch and parse a work file
diff --git a/www/board/agenda/views/actions/commit.json.rb b/www/board/agenda/views/actions/commit.json.rb
index 2413180..cacc45d 100644
--- a/www/board/agenda/views/actions/commit.json.rb
+++ b/www/board/agenda/views/actions/commit.json.rb
@@ -6,7 +6,9 @@ MAX_LINE = 79
 INDENT = 13
 
 user = env.user
-user = user.dup.untaint if user =~ /\A\w+\z/
+# user ids may include '-'
+raise ArgumentError, "Unexpected user id #{user}" unless user =~ /\A[-\w]+\z/
+
 updates = YAML.load_file("#{AGENDA_WORK}/#{user}.yml")
 
 agenda_file = updates['agenda']


Mime
View raw message