RubyGems - solidus_backend - Versions diffs - 1.0.4 → 1.0.5 - Mend

solidus_backend 1.0.4 → 1.0.5

Potentially problematic release.

This version of solidus_backend might be problematic. Click here for more details.

Files changed (20) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 02b974645362da82b2400967d919cf00ba57887c
-  data.tar.gz: edf6dc31425526c2562e5120586525d6c5088f31
+  metadata.gz: de5973fabeefe021bc6172c76c6e1a1e02c49394
+  data.tar.gz: 05d29540a7e77b7821d80f2ce0511920dec88757
 SHA512:
-  metadata.gz: 8e6464351c9e0ad0830445790b9126a0cd7ddf345fb8467971d7a4a90be3db3e19a0442ce4c18c264bb480d34e892b1a89591a5243f1a49fa95d44afe6c7e434
-  data.tar.gz: 0c253286b3eef6125db0de099e2d64820de97a5194464c58d4d796231bd8f016f18271829489214528cb2e9b1cc4bf260d505069999ee49d9b4b8945097c8fa1
+  metadata.gz: 6d97bc9506580584a52f6627dbb70a33fed739686fa72da9ee321c0231a5521e49f79ff93a1b7ffc2cff5f9b42838e13fc93edd903e09344d62cc0a155f771ae
+  data.tar.gz: c214582ac6ba0bed1edc3b57a0f694e9342205c9b974574c225f7b6b0ad379949469841c4f7746ee8f5d0129c42270d936873b10a9ad5989823bc58d67ec72b2

data/app/assets/javascripts/spree/backend/checkouts/edit.js CHANGED Viewed

@@ -26,7 +26,7 @@ $(document).ready(function() {
           }
         },
         results: function(data, page) {
-          return { results: data }
+          return { results: data.users }
         }
       },
       dropdownCssClass: 'customer_search',
@@ -54,7 +54,7 @@ $(document).ready(function() {
             });
           });
         }
-        return customer.email;
+        return Select2.util.escapeMarkup(customer.email);
       }
     })
   }

data/app/assets/javascripts/spree/backend/option_type_autocomplete.js.erb CHANGED Viewed

@@ -1,6 +1,10 @@
 $(document).ready(function () {
   'use strict';
+  function formatOptionType(option_type) {
+    return Select2.util.escapeMarkup(option_type.presentation + ' (' + option_type.name + ')');
+  }
   if ($('#product_option_type_ids').length > 0) {
     $('#product_option_type_ids').select2({
       placeholder: Spree.translations.option_type_placeholder,
@@ -31,12 +35,8 @@ $(document).ready(function () {
           };
         }
       },
-      formatResult: function (option_type) {
-        return option_type.presentation + ' (' + option_type.name + ')';
-      },
-      formatSelection: function (option_type) {
-        return option_type.presentation + ' (' + option_type.name + ')';
-      }
+      formatResult: formatOptionType,
+      formatSelection: formatOptionType
     });
   }
 });

data/app/assets/javascripts/spree/backend/product_picker.js CHANGED Viewed

@@ -5,6 +5,10 @@ $.fn.productAutocomplete = function (options) {
   options = options || {}
   var multiple = typeof(options['multiple']) !== 'undefined' ? options['multiple'] : true
+  function formatProduct(product) {
+    return Select2.util.escapeMarkup(product.name);
+  }
   this.select2({
     minimumInputLength: 3,
     multiple: multiple,
@@ -37,12 +41,8 @@ $.fn.productAutocomplete = function (options) {
         };
       }
     },
-    formatResult: function (product) {
-      return product.name;
-    },
-    formatSelection: function (product) {
-      return product.name;
-    }
+    formatResult: formatProduct,
+    formatSelection: formatProduct
   });
 };

data/app/assets/javascripts/spree/backend/stock_movement.js.coffee CHANGED Viewed

@@ -17,5 +17,5 @@ jQuery ->
           return { results: data.stock_items, more: more }
       formatResult: (stock_item) ->
         variantTemplate({ variant: stock_item.variant })
-      formatSelection: (stock_item) ->
-        "#{stock_item.variant.name} (#{stock_item.variant.options_text})"
+      formatSelection: (stock_item, container, excapeMarkup) ->
+        Select2.util.escapeMarkup("#{stock_item.variant.name} (#{stock_item.variant.options_text})")

data/app/assets/javascripts/spree/backend/taxon_autocomplete.js.erb CHANGED Viewed

@@ -1,6 +1,10 @@
 'use strict';
 var set_taxon_select = function(){
+  function formatTaxon(taxon) {
+    return Select2.util.escapeMarkup(taxon.pretty_name);
+  }
   if ($('#product_taxon_ids').length > 0) {
     $('#product_taxon_ids').select2({
       placeholder: Spree.translations.taxon_placeholder,
@@ -37,12 +41,8 @@ var set_taxon_select = function(){
           };
         }
       },
-      formatResult: function (taxon) {
-        return taxon.pretty_name;
-      },
-      formatSelection: function (taxon) {
-        return taxon.pretty_name;
-      }
+      formatResult: formatTaxon,
+      formatSelection: formatTaxon
     });
   }
 }

data/app/assets/javascripts/spree/backend/taxons.js.coffee CHANGED Viewed

@@ -45,6 +45,9 @@ $(document).ready ->
     sortable.trigger('sortupdate', item: draggable)
   , 250
+  formatTaxon = (taxon) ->
+    Select2.util.escapeMarkup(taxon.pretty_name)
   $('#taxon_id').select2
     dropdownCssClass: "taxon_select_box",
     placeholder: Spree.translations.find_a_taxon,
@@ -59,10 +62,8 @@ $(document).ready ->
       results: (data) ->
         results: data['taxons'],
         more: data.current_page < data.pages
-    formatResult: (taxon) ->
-      taxon.pretty_name;
-    formatSelection: (taxon) ->
-      taxon.pretty_name;
+    formatResult: formatTaxon,
+    formatSelection: formatTaxon
   $('#taxon_id').on "change", (e) ->
     Spree.ajax

data/app/assets/javascripts/spree/backend/user_picker.js CHANGED Viewed

@@ -1,6 +1,10 @@
 $.fn.userAutocomplete = function () {
   'use strict';
+  function formatUser(user) {
+    return Select2.util.escapeMarkup(user.email);
+  }
   this.select2({
     minimumInputLength: 1,
     multiple: true,
@@ -8,7 +12,7 @@ $.fn.userAutocomplete = function () {
       $.get(Spree.routes.user_search, {
         ids: element.val()
       }, function (data) {
-        callback(data);
+        callback(data.users);
       });
     },
     ajax: {
@@ -23,16 +27,12 @@ $.fn.userAutocomplete = function () {
       },
       results: function (data) {
         return {
-          results: data
+          results: data.users
         };
       }
     },
-    formatResult: function (user) {
-      return user.email;
-    },
-    formatSelection: function (user) {
-      return user.email;
-    }
+    formatResult: formatUser,
+    formatSelection: formatUser
   });
 };

data/app/assets/javascripts/spree/backend/variant_autocomplete.js.coffee.erb CHANGED Viewed

@@ -35,8 +35,8 @@ $.fn.variantAutocomplete = (searchOptions = {}) ->
         results: data["variants"]
     formatResult: formatVariantResult
-    formatSelection: (variant) ->
+    formatSelection: (variant, container, escapeMarkup) ->
       if !!variant.options_text
-        variant.name + " (#{variant.options_text})"
+        Select2.util.escapeMarkup("#{variant.name} (#{variant.options_text}")
       else
-        variant.name
+        Select2.util.escapeMarkup(variant.name)

data/app/helpers/spree/admin/adjustments_helper.rb CHANGED Viewed

@@ -27,11 +27,15 @@ module Spree
         parts << variant.product.name
         parts << "(#{variant.options_text})" if variant.options_text.present?
         parts << line_item.display_total
-        parts.join("<br>").html_safe
+        safe_join(parts, "<br />".html_safe)
       end
       def display_shipment(shipment)
-        "#{Spree.t(:shipment)} ##{shipment.number}<br>#{shipment.display_cost}".html_safe
+        parts = [
+          "#{Spree.t(:shipment)} ##{shipment.number}",
+          shipment.display_cost
+        ]
+        safe_join(parts, "<br />".html_safe)
       end
       def display_order(order)

data/app/helpers/spree/admin/base_helper.rb CHANGED Viewed

@@ -15,8 +15,8 @@ module Spree
         obj = object.respond_to?(:errors) ? object : instance_variable_get("@#{object}")
         if obj && obj.errors[method].present?
-          errors = obj.errors[method].map { |err| h(err) }.join('<br />').html_safe
-          content_tag(:span, errors, :class => 'formError')
+          errors = safe_join(obj.errors[method], "<br />".html_safe)
+          content_tag(:span, errors, class: 'formError')
         else
           ''
         end
@@ -132,12 +132,11 @@ module Spree
       def preference_fields(object, form)
         return unless object.respond_to?(:preferences)
-        object.preferences.keys.map{ |key|
+        fields = object.preferences.keys.map { |key|
           form.label("preferred_#{key}", Spree.t(key) + ": ") +
-            preference_field_for(form, "preferred_#{key}", :type => object.preference_type(key))
-        }.join("<br />").html_safe
+            preference_field_for(form, "preferred_#{key}", type: object.preference_type(key))
+        }
+        safe_join(fields, "<br />".html_safe)
       end
       def link_to_add_fields(name, target, options = {})

data/app/helpers/spree/admin/navigation_helper.rb CHANGED Viewed

@@ -74,7 +74,7 @@ module Spree
         options[:class] = (options[:class].to_s + " fa fa-#{icon_name} icon_link with-tip").strip
         options[:class] += ' no-text' if options[:no_text]
         options[:title] = text if options[:no_text]
-        text = options[:no_text] ? '' : raw("<span class='text'>#{text}</span>")
+        text = options[:no_text] ? '' : content_tag(:span, text, class: 'text')
         options.delete(:no_text)
         link_to(text, url, options)
       end
@@ -107,16 +107,10 @@ module Spree
           if html_options[:icon]
             html_options[:class] += " fa fa-#{html_options[:icon]}"
           end
-          link_to(text_for_button_link(text, html_options), url, html_options)
+          link_to(text, url, html_options)
         end
       end
-      def text_for_button_link(text, html_options)
-        s = ''
-        s << text
-        raw(s)
-      end
       def configurations_menu_item(link_text, url, description = '')
         %(<tr>
           <td>#{link_to(link_text, url)}</td>

data/app/helpers/spree/admin/orders_helper.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Spree
                                     :data => { :confirm => Spree.t(:order_sure_want_to, :event => Spree.t(event)) })
           end
         end
-        links.join('&nbsp;').html_safe
+        safe_join(links, '&nbsp;'.html_safe)
       end
       def line_item_shipment_price(line_item, quantity)

data/app/helpers/spree/admin/products_helper.rb CHANGED Viewed

@@ -9,7 +9,8 @@ module Spree
                       :selected => ('selected' if selected)) do
             (taxon.ancestors.pluck(:name) + [taxon.name]).join(" -> ")
           end
-        end.join("").html_safe
+        end
+        safe_join(options)
       end
       def option_types_options_for(product)
@@ -20,7 +21,8 @@ module Spree
                       :selected => ('selected' if selected)) do
             option_type.name
           end
-        end.join("").html_safe
+        end
+        safe_join(options)
       end
     end
   end

data/app/helpers/spree/admin/stock_movements_helper.rb CHANGED Viewed

@@ -15,9 +15,9 @@ module Spree
       def display_variant(stock_movement)
         variant = stock_movement.stock_item.variant
-        output = variant.name
-        output += "<br>(#{variant.options_text})" unless variant.options_text.blank?
-        output.html_safe
+        output = [variant.name]
+        output << variant.options_text unless variant.options_text.blank?
+        safe_join(output, "<br />".html_safe)
       end
     end
   end

data/app/views/spree/admin/search/users.rabl CHANGED Viewed

@@ -1,4 +1,4 @@
-collection(@users)
+collection(@users => :users)
 attributes :email, :id
 address_fields = [:firstname, :lastname,
                   :address1, :address2,

data/spec/features/admin/orders/new_order_spec.rb CHANGED Viewed

@@ -172,6 +172,18 @@ describe "New Order", :type => :feature do
     end
   end
+  context "customer with attempted XSS", js: true do
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    before do
+      user.update!(email: xss_string)
+    end
+    it "displays the user's email escaped without executing" do
+      click_on "Customer Details"
+      targetted_select2_search user.email, from: "#s2id_customer_search"
+      expect(page).to have_field("Email", with: xss_string)
+    end
+  end
   def fill_in_address(kind = "bill")
     fill_in "First Name",                with: "John 99"
     fill_in "Last Name",                 with: "Doe"

data/spec/features/admin/products/edit/taxons_spec.rb CHANGED Viewed

@@ -11,15 +11,16 @@ describe "Product Taxons", :type => :feature do
     Capybara.ignore_hidden_elements = false
   end
-  context "managing taxons" do
+  context "managing taxons", js: true do
     def selected_taxons
       find("#product_taxon_ids").value.split(',').map(&:to_i).uniq
     end
-    it "should allow an admin to manage taxons", :js => true do
+    let(:product) { create(:product) }
+    it "should allow an admin to manage taxons" do
       taxon_1 = create(:taxon)
-      taxon_2 = create(:taxon, :name => 'Clothing')
-      product = create(:product)
+      taxon_2 = create(:taxon, name: 'Clothing')
       product.taxons << taxon_1
       visit spree.admin_path
@@ -39,5 +40,17 @@ describe "Product Taxons", :type => :feature do
       expect(page).to have_css(".select2-search-choice", text: taxon_1.name)
       expect(page).to have_css(".select2-search-choice", text: taxon_2.name)
     end
+    context "with an XSS attempt" do
+      let(:taxon_name) { %(<script>throw("XSS")</script>) }
+      let!(:taxon) { create(:taxon, name: taxon_name) }
+      it "displays the escaped HTML without executing it" do
+        visit spree.edit_admin_product_path(product)
+        select2_search "<script>", from: "Taxons"
+        expect(page).to have_content(taxon_name)
+      end
+    end
   end
 end

data/spec/features/admin/promotions/user_rule_spec.rb ADDED Viewed

@@ -0,0 +1,25 @@
+require 'spec_helper'
+feature 'Promotion with user rule', js: true do
+  stub_authorization!
+  given(:promotion) { create :promotion }
+  background do
+    visit spree.edit_admin_promotion_path(promotion)
+  end
+  context "with an attempted XSS" do
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    given!(:user) { create(:user, email: xss_string) }
+    scenario "adding an option value rule" do
+      select2 "User", from: "Add rule of type"
+      within("#rules_container") { click_button "Add" }
+      select2_search "<script>", from: "Choose users"
+      expect(page).to have_content(xss_string)
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_backend
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Solidus Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-01-22 00:00:00.000000000 Z
+date: 2016-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_api
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 1.0.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 1.0.5
 - !ruby/object:Gem::Dependency
   name: solidus_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 1.0.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.4
+        version: 1.0.5
 - !ruby/object:Gem::Dependency
   name: bourbon
   requirement: !ruby/object:Gem::Requirement
@@ -639,6 +639,7 @@ files:
 - spec/features/admin/products/variant_spec.rb
 - spec/features/admin/promotion_adjustments_spec.rb
 - spec/features/admin/promotions/tiered_calculator_spec.rb
+- spec/features/admin/promotions/user_rule_spec.rb
 - spec/features/admin/reports_spec.rb
 - spec/features/admin/stock_transfer_spec.rb
 - spec/features/admin/store_credits_spec.rb
@@ -712,3 +713,4 @@ signing_key:
 specification_version: 4
 summary: Admin interface for the Solidus e-commerce framework.
 test_files: []
+has_rdoc: