agenda-libre/agenda-libre-ruby
agenda-libre/agenda-libre-ruby
2
1
Fork 0
Code Issues Pull Requests Releases Activity

Sécurité du projet, en utilisant la gemme brakeman

Browse Source
This commit is contained in:
echarp 2014-06-09 20:36:53 +02:00
parent b3341c1e5d
commit 8940467779
11 changed files with 93 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored
View File

@ -44,11 +44,6 @@ vendor/cache
# Acts as Indexed
index/**/*
# Refinery Specific
*.tmproj
*.autobackupbyrefinery.*
refinerycms-*.gem
# Mac
.DS_Store
@ -96,3 +91,6 @@ vendor/extensions/**/spec/dummy
# exuberant-ctags
tags
# session secret
config/initializers/secret_token.rb

3
Gemfile
View File

@ -78,4 +78,7 @@ group :development do
gem 'guard-minitest'
gem 'quiet_assets'
gem 'webrick', '>= 1.3.1'
# Security checks
gem 'brakeman', require: false
gem 'guard-brakeman'
end

41
Gemfile.lock
View File

@ -7,7 +7,7 @@ GIT
GIT
remote: git://github.com/gregbell/active_admin.git
revision: 3d7605f82706c8e107852f44c61ba6d8e9f2100d
revision: 4f445b51c22b12af2cdde57fe2ce9835c32ef88e
specs:
activeadmin (1.0.0.pre)
arbre (~> 1.0)
@ -65,6 +65,17 @@ GEM
bourbon (3.2.3)
sass (~> 3.2)
thor
brakeman (2.6.0)
erubis (~> 2.6)
fastercsv (~> 1.5)
haml (>= 3.0, < 5.0)
highline (~> 1.6.20)
multi_json (~> 1.2)
ruby2ruby (~> 2.0.5)
ruby_parser (~> 3.5.0)
sass (~> 3.0)
slim (>= 1.3.6, < 3.0)
terminal-table (~> 1.4)
builder (3.2.2)
celluloid (0.15.2)
timers (~> 1.1.0)
@ -99,7 +110,8 @@ GEM
activemodel
erubis (2.7.0)
eventmachine (1.0.3)
execjs (2.1.0)
execjs (2.2.0)
fastercsv (1.5.5)
ffi (1.9.3)
font-awesome-rails (4.1.0.0)
railties (>= 3.2, < 5.0)
@ -114,6 +126,9 @@ GEM
lumberjack (~> 1.0)
pry (>= 0.9.12)
thor (>= 0.18.1)
guard-brakeman (0.8.1)
brakeman (>= 2.1.1)
guard (>= 1.1.0)
guard-bundler (2.0.0)
bundler (~> 1.0)
guard (~> 2.2)
@ -134,13 +149,14 @@ GEM
has_scope (0.6.0.rc)
actionpack (>= 3.2, < 5)
activesupport (>= 3.2, < 5)
highline (1.6.21)
hike (1.2.3)
http_parser.rb (0.6.0)
i18n (0.6.9)
inherited_resources (1.5.0)
has_scope (~> 0.6.0.rc)
responders (~> 1.0)
jbuilder (2.0.7)
jbuilder (2.0.8)
activesupport (>= 3.0.0, < 5)
multi_json (~> 1.2)
jquery-rails (3.1.0)
@ -152,10 +168,10 @@ GEM
jquery-ui-rails (4.2.1)
railties (>= 3.2.16)
json (1.8.1)
kaminari (0.15.1)
kaminari (0.16.0)
actionpack (>= 3.0.0)
activesupport (>= 3.0.0)
listen (2.7.6)
listen (2.7.7)
celluloid (>= 0.15.2)
rb-fsevent (>= 0.9.3)
rb-inotify (>= 0.9)
@ -210,13 +226,18 @@ GEM
i18n
polyamorous (~> 1.0.0)
rb-fsevent (0.9.4)
rb-inotify (0.9.4)
rb-inotify (0.9.5)
ffi (>= 0.5.0)
rdoc (4.1.1)
json (~> 1.4)
redcarpet (3.1.2)
responders (1.1.0)
railties (>= 3.2, < 5)
ruby2ruby (2.0.8)
ruby_parser (~> 3.1)
sexp_processor (~> 4.0)
ruby_parser (3.5.0)
sexp_processor (~> 4.1)
sass (3.2.19)
sass-rails (4.0.3)
railties (>= 4.0.0, < 5.0)
@ -226,6 +247,10 @@ GEM
sdoc (0.4.0)
json (~> 1.8)
rdoc (~> 4.0, < 5.0)
sexp_processor (4.4.3)
slim (2.0.2)
temple (~> 0.6.6)
tilt (>= 1.3.3, < 2.1)
slop (3.5.0)
spring (1.1.3)
sprockets (2.11.0)
@ -237,6 +262,8 @@ GEM
actionpack (>= 3.0)
activesupport (>= 3.0)
sprockets (~> 2.8)
temple (0.6.7)
terminal-table (1.4.5)
thor (0.19.1)
thread_safe (0.3.4)
tilt (1.4.1)
@ -260,6 +287,7 @@ PLATFORMS
DEPENDENCIES
activeadmin!
brakeman
coffee-rails
compass-rails
devise
@ -268,6 +296,7 @@ DEPENDENCIES
email_validator
font-awesome-rails
gritter
guard-brakeman
guard-bundler
guard-livereload
guard-minitest

7
Guardfile
View File

@ -27,3 +27,10 @@ guard :minitest do
end
notification :notifysend
guard 'brakeman', run_on_start: true, quiet: true, min_confidence: 10 do
watch(%r{^app/.+\.(erb|haml|rhtml|rb)$})
watch(%r{^config/.+\.rb$})
watch(%r{^lib/.+\.rb$})
watch('Gemfile')
end

7
app/assets/stylesheets/tags.css.sass
View File

@ -1,3 +1,10 @@
// Tag list in event display
p.tags a:after
color: black
content: ','
p.tags a:last-child:after
content: ''
.tag
vertical-align: middle
sub

2
app/models/event.rb
View File

@ -4,7 +4,7 @@ class Event < ActiveRecord::Base
has_one :related_city, foreign_key: :name, primary_key: :city, class_name: City
validates_presence_of :title, :description, :city, :region, :url, :contact
validates_format_of :url, with: /https?:\/\//
validates_format_of :url, with: /\Ahttps?:\/\/.*\z/
validates :contact, email: true
validates :submitter, email: true

4
app/views/application/contact.haml
View File

@ -1,2 +1,2 @@
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
= raw markdown.render t '.content'
:markdown
#{t '.content'}

4
app/views/application/infos.haml
View File

@ -1,2 +1,2 @@
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
= raw markdown.render t '.content'
:markdown
#{t '.content'}

33
app/views/events/_form.html.haml
View File

@ -1,5 +1,3 @@
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
= form_for @event do |f|
- if @event.errors.any?
#error_explanation.error.flash
@ -8,15 +6,20 @@
%p= msg
- unless @event.id
= raw markdown.render t '.subtitle'
:markdown
#{t '.subtitle'}
#advises= raw markdown.render t '.advises'
#advises
:markdown
#{t '.advises'}
- else
= hidden_field_tag :secret, params[:secret]
.field
.helper= raw markdown.render t '.title_helper'
.helper
:markdown
#{t '.title_helper'}
= f.label :title
= f.text_field :title, required: true, size: 70
.field
@ -26,7 +29,9 @@
= f.label Event.human_attribute_name :end_time
= f.datetime_select :end_time, required: true
.field
.helper= raw markdown.render t '.description_helper'
.helper
:markdown
#{t '.description_helper'}
= f.label Event.human_attribute_name :description
= f.text_area :description, required: true, rows: 29, cols: 80
@ -42,19 +47,27 @@
= f.select :locality,
options_for_select([[t('attributes.locality_0'), 0], [t('attributes.locality_1'), 1]], @event.locality)
.field
.helper= raw markdown.render t '.url_helper'
.helper
:markdown
#{t '.url_helper'}
= f.label Event.human_attribute_name :url
= f.text_field :url, required: true, size: 70
.field
.helper= raw markdown.render t '.contact_helper'
.helper
:markdown
#{t '.contact_helper'}
= f.label Event.human_attribute_name :contact
= f.text_field :contact, required: true, size: 70
.field
.helper= raw markdown.render t '.submitter_helper'
.helper
:markdown
#{t '.submitter_helper'}
= f.label :submitter
= f.text_field :submitter, required: true, size: 70
.field
.helper= raw markdown.render t '.tags_helper'
.helper
:markdown
#{t '.tags_helper'}
= f.label :tags
= f.text_field :tags, size: 70

12
app/views/events/show.html.haml
View File

@ -33,7 +33,9 @@
= link_to @event.region.name, "http://fr.wikipedia.org/wiki/#{@event.region.name}" rescue nil
%h3 Description
=raw @event.description
= sanitize @event.description,
tags: %w(p br table tr td ul ol li a strong b em i img),
attributes: %w(href src width height)
%h3 Informations
%p
@ -41,9 +43,11 @@
= link_to @event.url, @event.url
%p
Contact:
= mail_to @event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT '), @event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT ')
= mail_to @event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT '),
@event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT ')
- if (@event.tags && @event.tags.present?)
%p
%p.tags
Tags:
=raw @event.tags.split.collect { |tag| link_to tag, events_url(tag: tag) }.join(', ')
- @event.tags.split.each do |tag|
= link_to tag, events_url(tag: tag)

4
app/views/regions/stats.html.haml
View File

@ -38,5 +38,5 @@
%h3=t '.web'
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
= raw markdown.render t '.webalizer'
:markdown
#{t '.webalizer'}