Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PLAY-1432] Playground Sanitization Security #3624

Merged
merged 11 commits into from
Sep 12, 2024
Merged

[PLAY-1432] Playground Sanitization Security #3624

merged 11 commits into from
Sep 12, 2024

Conversation

markdoeswork
Copy link
Contributor

@markdoeswork markdoeswork commented Aug 22, 2024
edited
Loading

What does this PR do? A clear and concise description with your runway ticket url.

Runway https://runway.powerhrg.com/backlog_items/PLAY-1432

Anyone was able to input whatever erb into the playground. This was bad because people could do shell scrips and other stuff by submitting something like this <%= system(“pwd”) %>

The plan is to evaluate the ERB code coming in and if it has a method that isn’t on the white list then the request is not processed

These methods have to be on the white list because the Parser parses ruby and theses methods are needed to “run” erb

<<
To_s
+@
Freeze

More details about my thoughts here https://huddle.powerapp.cloud/v2/projects/647/artifacts/6881

@markdoeswork markdoeswork self-assigned this Aug 22, 2024
@markdoeswork markdoeswork added alpha milano 20 MAX - Deploy this PR to a review environment via Milano and removed alpha labels Aug 29, 2024
@github-actions GitHub Actions
Copy link

🎉 Congratulations on creating an Alpha Version!

Your Alpha for Ruby Gems is 14.2.0.pre.alpha.play1432playgroundsanitation3622

Your Alpha for NPM is 14.2.0-alpha.play1432playgroundsanitation3622

@markdoeswork markdoeswork marked this pull request as ready for review September 3, 2024 17:52
@markdoeswork markdoeswork requested review from a team as code owners September 3, 2024 17:52
@markdoeswork markdoeswork marked this pull request as draft September 6, 2024 12:29
@markdoeswork markdoeswork removed the milano 20 MAX - Deploy this PR to a review environment via Milano label Sep 11, 2024
@markdoeswork markdoeswork added the milano 20 MAX - Deploy this PR to a review environment via Milano label Sep 11, 2024
@markdoeswork markdoeswork marked this pull request as ready for review September 12, 2024 18:08
@jasperfurniss jasperfurniss added this pull request to the merge queue Sep 12, 2024
Merged via the queue into master with commit 360a1d8 Sep 12, 2024
5 checks passed
@jasperfurniss jasperfurniss deleted the play/1432_playground_sanitation branch September 12, 2024 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasperfurniss jasperfurniss jasperfurniss approved these changes

@terryfinn terryfinn Awaiting requested review from terryfinn

Assignees

@markdoeswork markdoeswork

Labels
milano 20 MAX - Deploy this PR to a review environment via Milano
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markdoeswork @jasperfurniss