Feature/add sanitize to prevent xss

Author: brunto

.env-example

@@ -0,0 +1,2 @@
+SANITIZED_ALLOWED_TAGS="strong em ul ol li"
+SANITIZED_ALLOWED_ATTRIBUTES="style"

Gemfile

@@ -14,7 +14,7 @@ gem 'mime-types', '~> 3.3'
 
 gem 'carrierwave', '~> 2.1.1'
 gem 'carrierwave-base64', '~> 2.8.0'
-gem 'dotenv-rails', groups: [:development, :test]
+gem 'dotenv-rails'
 
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 # gem 'jbuilder', '~> 2.5'

app/controllers/answers_controller.rb

@@ -25,7 +25,7 @@ def create
     @answer = Answer.new(answer_params)
 
     if @answer.save
-      render json: serialize(@answer), status: :created
+      render json: serialize(@answer.reload), status: :created
     else
       render json: @answer.errors, status: :unprocessable_entity
     end
@@ -34,7 +34,7 @@ def create
   # PATCH/PUT /answers/1
   def update
     if @answer.update(answer_params)
-      render json: serialize(@answer)
+      render json: serialize(@answer.reload)
     else
       render json: @answer.errors, status: :unprocessable_entity
     end

app/controllers/comments_controller.rb

@@ -27,7 +27,7 @@ def create
     @comment = Comment.new(comment_params)
 
     if @comment.save
-      render json: serialize(@comment), status: :created
+      render json: serialize(@comment.reload), status: :created
     else
       render json: @comment.errors, status: :unprocessable_entity
     end
@@ -36,7 +36,7 @@ def create
   # PATCH/PUT /comments/1
   def update
     if @comment.update(comment_params)
-      render json: serialize(@comment)
+      render json: serialize(@comment.reload)
     else
       render json: @comment.errors, status: :unprocessable_entity
     end

app/controllers/evaluations_controller.rb

@@ -25,7 +25,7 @@ def create
     @evaluation = Evaluation.new(evaluation_params)
 
     if @evaluation.save
-      render json: serialize(@evaluation), status: :created
+      render json: serialize(@evaluation.reload), status: :created
     else
       render json: @evaluation.errors, status: :unprocessable_entity
     end
@@ -36,7 +36,7 @@ def update
     if @evaluation.update(evaluation_params)
       @evaluation.global_status = 0 if @evaluation.status == 1 && evaluation_params["global_status"].blank?
       @evaluation.save
-      render json: serialize(@evaluation)
+      render json: serialize(@evaluation.reload)
     else
       render json: @evaluation.errors, status: :unprocessable_entity
     end

app/controllers/knowledge_bases_controller.rb

@@ -11,7 +11,7 @@ def index
 
   def create
     knowledge_base = KnowledgeBase.create(knowledge_base_params)
-    render json: serialize(knowledge_base)
+    render json: serialize(knowledge_base.reload)
   end
 
   def show
@@ -20,7 +20,7 @@ def show
 
   def update
     @knowledge_base.update(knowledge_base_params)
-    render json: serialize(@knowledge_base)
+    render json: serialize(@knowledge_base.reload)
   end
 
   def destroy

app/controllers/knowledges_controller.rb

@@ -16,7 +16,7 @@ def create
     knowledge = Knowledge.new(data)
     knowledge.knowledge_base = @knowledge_base
     knowledge.save
-    render json: serialize(knowledge)
+    render json: serialize(knowledge.reload)
   end
 
   def show
@@ -27,7 +27,7 @@ def update
     data = knowledge_params
     data["items"] = JSON.parse(data["items"]) if data["items"]
     @knowledge.update(data)
-    render json: serialize(@knowledge)
+    render json: serialize(@knowledge.reload)
   end
 
   def destroy

app/controllers/measures_controller.rb

@@ -25,7 +25,7 @@ def create
     @measure = Measure.new(measure_params)
 
     if @measure.save
-      render json: serialize(@measure), status: :created
+      render json: serialize(@measure.reload), status: :created
     else
       render json: @measure.errors, status: :unprocessable_entity
     end
@@ -34,7 +34,7 @@ def create
   # PATCH/PUT /measures/1
   def update
     if @measure.update(measure_params)
-      render json: serialize(@measure)
+      render json: serialize(@measure.reload)
     else
       render json: @measure.errors, status: :unprocessable_entity
     end

app/controllers/structures_controller.rb

@@ -22,7 +22,7 @@ def create
     @structure = Structure.new(structures_parameters)
 
     if @structure.save
-      render json: serialize(@structure), status: :created
+      render json: serialize(@structure.reload), status: :created
     else
       render json: @structure.errors, status: :unprocessable_entity
     end
@@ -34,7 +34,7 @@ def update
     structures_parameters[:data] = JSON.parse(structures_parameters[:data]) if structures_parameters[:data]
 
     if @structure.update(structures_parameters)
-      render json: serialize(@structure)
+      render json: serialize(@structure.reload)
     else
       render json: @structure.errors, status: :unprocessable_entity
     end

app/models/answer.rb

@@ -1,4 +1,12 @@
 class Answer < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   belongs_to :pia, inverse_of: :answers
   validates :reference_to, presence: true
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.data['text'] = sanitize self.data['text']
+  end
 end

app/models/comment.rb

@@ -1,4 +1,12 @@
 class Comment < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   belongs_to :pia, inverse_of: :comments
   validates :reference_to, presence: true
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.description = sanitize read_attribute(:description)
+  end
 end

app/models/evaluation.rb

@@ -1,4 +1,13 @@
 class Evaluation < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   belongs_to :pia, inverse_of: :evaluations
   validates :reference_to, presence: true
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.action_plan_comment = sanitize read_attribute(:action_plan_comment)
+    self.evaluation_comment = sanitize read_attribute(:evaluation_comment)
+  end
 end

app/models/knowledge.rb

@@ -1,6 +1,13 @@
 class Knowledge < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   belongs_to :knowledge_base
-
   validates :name, presence: true
   validates :knowledge_base, presence: true
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.name = sanitize read_attribute(:name)
+  end
 end

app/models/knowledge_base.rb

@@ -1,6 +1,16 @@
 class KnowledgeBase < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   validates :name, presence: true
   validates :author, presence: true
   validates :contributors, presence: true
   has_many :knowledges, dependent: :destroy
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.name = sanitize read_attribute(:name)
+    self.author = sanitize read_attribute(:author)
+    self.contributors = sanitize read_attribute(:contributors)
+  end
 end

app/models/measure.rb

@@ -1,3 +1,13 @@
 class Measure < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   belongs_to :pia, inverse_of: :measures
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.title = sanitize read_attribute(:title)
+    self.content = sanitize read_attribute(:content)
+    self.placeholder = sanitize read_attribute(:placeholder)
+  end
 end

app/models/pia.rb

@@ -1,4 +1,5 @@
 class Pia < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   has_many :answers, inverse_of: :pia, dependent: :destroy
   has_many :comments, inverse_of: :pia, dependent: :destroy
   has_many :evaluations, inverse_of: :pia, dependent: :destroy
@@ -8,6 +9,8 @@ class Pia < ApplicationRecord
   belongs_to :structure, optional: true
   validates :name, presence: true
 
+  after_initialize :overwrite_to_safety_values
+
   def self.import(json_string)
     json = JSON.parse(json_string)
     json.each do |pia_in|
@@ -60,4 +63,12 @@ def duplicate_self
       end
     end
   end
+
+  def overwrite_to_safety_values
+    self.name = sanitize read_attribute(:name)
+    self.author_name = sanitize read_attribute(:author_name)
+    self.evaluator_name = sanitize read_attribute(:evaluator_name)
+    self.validator_name = sanitize read_attribute(:validator_name)
+    self.category = sanitize read_attribute(:category)
+  end
 end

app/models/structure.rb

@@ -1,3 +1,12 @@
 class Structure < ApplicationRecord
+  include ActionView::Helpers::SanitizeHelper
   has_many :pias, dependent: :nullify
+  after_initialize :overwrite_to_safety_values
+
+  private
+
+  def overwrite_to_safety_values
+    self.name = sanitize read_attribute(:name)
+    self.sector_name = sanitize read_attribute(:sector_name)
+  end
 end

config/application.rb

@@ -31,5 +31,10 @@ class Application < Rails::Application
     # Middleware like session, flash, cookies can be added back manually.
     # Skip views, helpers and assets when generating a new resource.
     config.api_only = true
+
+    tags_allowed = ENV['SANITIZED_ALLOWED_TAGS'] ? ENV['SANITIZED_ALLOWED_TAGS'].split(' ') : []
+    config.action_view.sanitized_allowed_tags = tags_allowed
+    attributes_allowed = ENV['SANITIZED_ALLOWED_ATTRIBUTES'] ? ENV['SANITIZED_ALLOWED_ATTRIBUTES'].split(' ') : []
+    config.action_view.sanitized_allowed_attributes = attributes_allowed
   end
 end