agenda-libre/agenda-libre-ruby
agenda-libre/agenda-libre-ruby
2
1
Fork 0
Code Issues Pull Requests Releases Activity

Sécurité du projet, en utilisant la gemme brakeman

Browse Source
This commit is contained in:
echarp 2014-06-09 20:36:53 +02:00
parent b3341c1e5d
commit 8940467779
11 changed files with 93 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored
View File

@ -44,11 +44,6 @@ vendor/cache
# Acts as Indexed # Acts as Indexed
index/**/* index/**/*
# Refinery Specific
*.tmproj
*.autobackupbyrefinery.*
refinerycms-*.gem
# Mac # Mac
.DS_Store .DS_Store
@ -96,3 +91,6 @@ vendor/extensions/**/spec/dummy
# exuberant-ctags # exuberant-ctags
tags tags
# session secret
config/initializers/secret_token.rb

3
Gemfile
View File

@ -78,4 +78,7 @@ group :development do
gem 'guard-minitest' gem 'guard-minitest'
gem 'quiet_assets' gem 'quiet_assets'
gem 'webrick', '>= 1.3.1' gem 'webrick', '>= 1.3.1'
# Security checks
gem 'brakeman', require: false
gem 'guard-brakeman'
end end

41
Gemfile.lock
View File

@ -7,7 +7,7 @@ GIT
GIT GIT
remote: git://github.com/gregbell/active_admin.git remote: git://github.com/gregbell/active_admin.git
revision: 3d7605f82706c8e107852f44c61ba6d8e9f2100d revision: 4f445b51c22b12af2cdde57fe2ce9835c32ef88e
specs: specs:
activeadmin (1.0.0.pre) activeadmin (1.0.0.pre)
arbre (~> 1.0) arbre (~> 1.0)
@ -65,6 +65,17 @@ GEM
bourbon (3.2.3) bourbon (3.2.3)
sass (~> 3.2) sass (~> 3.2)
thor thor
brakeman (2.6.0)
erubis (~> 2.6)
fastercsv (~> 1.5)
haml (>= 3.0, < 5.0)
highline (~> 1.6.20)
multi_json (~> 1.2)
ruby2ruby (~> 2.0.5)
ruby_parser (~> 3.5.0)
sass (~> 3.0)
slim (>= 1.3.6, < 3.0)
terminal-table (~> 1.4)
builder (3.2.2) builder (3.2.2)
celluloid (0.15.2) celluloid (0.15.2)
timers (~> 1.1.0) timers (~> 1.1.0)
@ -99,7 +110,8 @@ GEM
activemodel activemodel
erubis (2.7.0) erubis (2.7.0)
eventmachine (1.0.3) eventmachine (1.0.3)
execjs (2.1.0) execjs (2.2.0)
fastercsv (1.5.5)
ffi (1.9.3) ffi (1.9.3)
font-awesome-rails (4.1.0.0) font-awesome-rails (4.1.0.0)
railties (>= 3.2, < 5.0) railties (>= 3.2, < 5.0)
@ -114,6 +126,9 @@ GEM
lumberjack (~> 1.0) lumberjack (~> 1.0)
pry (>= 0.9.12) pry (>= 0.9.12)
thor (>= 0.18.1) thor (>= 0.18.1)
guard-brakeman (0.8.1)
brakeman (>= 2.1.1)
guard (>= 1.1.0)
guard-bundler (2.0.0) guard-bundler (2.0.0)
bundler (~> 1.0) bundler (~> 1.0)
guard (~> 2.2) guard (~> 2.2)
@ -134,13 +149,14 @@ GEM
has_scope (0.6.0.rc) has_scope (0.6.0.rc)
actionpack (>= 3.2, < 5) actionpack (>= 3.2, < 5)
activesupport (>= 3.2, < 5) activesupport (>= 3.2, < 5)
highline (1.6.21)
hike (1.2.3) hike (1.2.3)
http_parser.rb (0.6.0) http_parser.rb (0.6.0)
i18n (0.6.9) i18n (0.6.9)
inherited_resources (1.5.0) inherited_resources (1.5.0)
has_scope (~> 0.6.0.rc) has_scope (~> 0.6.0.rc)
responders (~> 1.0) responders (~> 1.0)
jbuilder (2.0.7) jbuilder (2.0.8)
activesupport (>= 3.0.0, < 5) activesupport (>= 3.0.0, < 5)
multi_json (~> 1.2) multi_json (~> 1.2)
jquery-rails (3.1.0) jquery-rails (3.1.0)
@ -152,10 +168,10 @@ GEM
jquery-ui-rails (4.2.1) jquery-ui-rails (4.2.1)
railties (>= 3.2.16) railties (>= 3.2.16)
json (1.8.1) json (1.8.1)
kaminari (0.15.1) kaminari (0.16.0)
actionpack (>= 3.0.0) actionpack (>= 3.0.0)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
listen (2.7.6) listen (2.7.7)
celluloid (>= 0.15.2) celluloid (>= 0.15.2)
rb-fsevent (>= 0.9.3) rb-fsevent (>= 0.9.3)
rb-inotify (>= 0.9) rb-inotify (>= 0.9)
@ -210,13 +226,18 @@ GEM
i18n i18n
polyamorous (~> 1.0.0) polyamorous (~> 1.0.0)
rb-fsevent (0.9.4) rb-fsevent (0.9.4)
rb-inotify (0.9.4) rb-inotify (0.9.5)
ffi (>= 0.5.0) ffi (>= 0.5.0)
rdoc (4.1.1) rdoc (4.1.1)
json (~> 1.4) json (~> 1.4)
redcarpet (3.1.2) redcarpet (3.1.2)
responders (1.1.0) responders (1.1.0)
railties (>= 3.2, < 5) railties (>= 3.2, < 5)
ruby2ruby (2.0.8)
ruby_parser (~> 3.1)
sexp_processor (~> 4.0)
ruby_parser (3.5.0)
sexp_processor (~> 4.1)
sass (3.2.19) sass (3.2.19)
sass-rails (4.0.3) sass-rails (4.0.3)
railties (>= 4.0.0, < 5.0) railties (>= 4.0.0, < 5.0)
@ -226,6 +247,10 @@ GEM
sdoc (0.4.0) sdoc (0.4.0)
json (~> 1.8) json (~> 1.8)
rdoc (~> 4.0, < 5.0) rdoc (~> 4.0, < 5.0)
sexp_processor (4.4.3)
slim (2.0.2)
temple (~> 0.6.6)
tilt (>= 1.3.3, < 2.1)
slop (3.5.0) slop (3.5.0)
spring (1.1.3) spring (1.1.3)
sprockets (2.11.0) sprockets (2.11.0)
@ -237,6 +262,8 @@ GEM
actionpack (>= 3.0) actionpack (>= 3.0)
activesupport (>= 3.0) activesupport (>= 3.0)
sprockets (~> 2.8) sprockets (~> 2.8)
temple (0.6.7)
terminal-table (1.4.5)
thor (0.19.1) thor (0.19.1)
thread_safe (0.3.4) thread_safe (0.3.4)
tilt (1.4.1) tilt (1.4.1)
@ -260,6 +287,7 @@ PLATFORMS
DEPENDENCIES DEPENDENCIES
activeadmin! activeadmin!
brakeman
coffee-rails coffee-rails
compass-rails compass-rails
devise devise
@ -268,6 +296,7 @@ DEPENDENCIES
email_validator email_validator
font-awesome-rails font-awesome-rails
gritter gritter
guard-brakeman
guard-bundler guard-bundler
guard-livereload guard-livereload
guard-minitest guard-minitest

7
Guardfile
View File

@ -27,3 +27,10 @@ guard :minitest do
end end
notification :notifysend notification :notifysend
guard 'brakeman', run_on_start: true, quiet: true, min_confidence: 10 do
watch(%r{^app/.+\.(erb|haml|rhtml|rb)$})
watch(%r{^config/.+\.rb$})
watch(%r{^lib/.+\.rb$})
watch('Gemfile')
end

7
app/assets/stylesheets/tags.css.sass
View File

@ -1,3 +1,10 @@
// Tag list in event display
p.tags a:after
color: black
content: ','
p.tags a:last-child:after
content: ''
.tag .tag
vertical-align: middle vertical-align: middle
sub sub

2
app/models/event.rb
View File

@ -4,7 +4,7 @@ class Event < ActiveRecord::Base
has_one :related_city, foreign_key: :name, primary_key: :city, class_name: City has_one :related_city, foreign_key: :name, primary_key: :city, class_name: City
validates_presence_of :title, :description, :city, :region, :url, :contact validates_presence_of :title, :description, :city, :region, :url, :contact
validates_format_of :url, with: /https?:\/\// validates_format_of :url, with: /\Ahttps?:\/\/.*\z/
validates :contact, email: true validates :contact, email: true
validates :submitter, email: true validates :submitter, email: true

4
app/views/application/contact.haml
View File

@ -1,2 +1,2 @@
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true) :markdown
= raw markdown.render t '.content' #{t '.content'}

4
app/views/application/infos.haml
View File

@ -1,2 +1,2 @@
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true) :markdown
= raw markdown.render t '.content' #{t '.content'}

33
app/views/events/_form.html.haml
View File

@ -1,5 +1,3 @@
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
= form_for @event do |f| = form_for @event do |f|
- if @event.errors.any? - if @event.errors.any?
#error_explanation.error.flash #error_explanation.error.flash
@ -8,15 +6,20 @@
%p= msg %p= msg
- unless @event.id - unless @event.id
= raw markdown.render t '.subtitle' :markdown
#{t '.subtitle'}
#advises= raw markdown.render t '.advises' #advises
:markdown
#{t '.advises'}
- else - else
= hidden_field_tag :secret, params[:secret] = hidden_field_tag :secret, params[:secret]
.field .field
.helper= raw markdown.render t '.title_helper' .helper
:markdown
#{t '.title_helper'}
= f.label :title = f.label :title
= f.text_field :title, required: true, size: 70 = f.text_field :title, required: true, size: 70
.field .field
@ -26,7 +29,9 @@
= f.label Event.human_attribute_name :end_time = f.label Event.human_attribute_name :end_time
= f.datetime_select :end_time, required: true = f.datetime_select :end_time, required: true
.field .field
.helper= raw markdown.render t '.description_helper' .helper
:markdown
#{t '.description_helper'}
= f.label Event.human_attribute_name :description = f.label Event.human_attribute_name :description
= f.text_area :description, required: true, rows: 29, cols: 80 = f.text_area :description, required: true, rows: 29, cols: 80
@ -42,19 +47,27 @@
= f.select :locality, = f.select :locality,
options_for_select([[t('attributes.locality_0'), 0], [t('attributes.locality_1'), 1]], @event.locality) options_for_select([[t('attributes.locality_0'), 0], [t('attributes.locality_1'), 1]], @event.locality)
.field .field
.helper= raw markdown.render t '.url_helper' .helper
:markdown
#{t '.url_helper'}
= f.label Event.human_attribute_name :url = f.label Event.human_attribute_name :url
= f.text_field :url, required: true, size: 70 = f.text_field :url, required: true, size: 70
.field .field
.helper= raw markdown.render t '.contact_helper' .helper
:markdown
#{t '.contact_helper'}
= f.label Event.human_attribute_name :contact = f.label Event.human_attribute_name :contact
= f.text_field :contact, required: true, size: 70 = f.text_field :contact, required: true, size: 70
.field .field
.helper= raw markdown.render t '.submitter_helper' .helper
:markdown
#{t '.submitter_helper'}
= f.label :submitter = f.label :submitter
= f.text_field :submitter, required: true, size: 70 = f.text_field :submitter, required: true, size: 70
.field .field
.helper= raw markdown.render t '.tags_helper' .helper
:markdown
#{t '.tags_helper'}
= f.label :tags = f.label :tags
= f.text_field :tags, size: 70 = f.text_field :tags, size: 70

12
app/views/events/show.html.haml
View File

@ -33,7 +33,9 @@
= link_to @event.region.name, "http://fr.wikipedia.org/wiki/#{@event.region.name}" rescue nil = link_to @event.region.name, "http://fr.wikipedia.org/wiki/#{@event.region.name}" rescue nil
%h3 Description %h3 Description
=raw @event.description = sanitize @event.description,
tags: %w(p br table tr td ul ol li a strong b em i img),
attributes: %w(href src width height)
%h3 Informations %h3 Informations
%p %p
@ -41,9 +43,11 @@
= link_to @event.url, @event.url = link_to @event.url, @event.url
%p %p
Contact: Contact:
= mail_to @event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT '), @event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT ') = mail_to @event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT '),
@event.contact.gsub('@', ' CHEZ ').gsub('.', ' POINT ')
- if (@event.tags && @event.tags.present?) - if (@event.tags && @event.tags.present?)
%p %p.tags
Tags: Tags:
=raw @event.tags.split.collect { |tag| link_to tag, events_url(tag: tag) }.join(', ') - @event.tags.split.each do |tag|
= link_to tag, events_url(tag: tag)

4
app/views/regions/stats.html.haml
View File

@ -38,5 +38,5 @@
%h3=t '.web' %h3=t '.web'
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true) :markdown
= raw markdown.render t '.webalizer' #{t '.webalizer'}