WIP: fix path traversal bug

discourse · Feb 7, 2024 · f7c923d · f7c923d
1 parent b828990
commit f7c923d
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 9 deletions.
diff --git a/lib/rubocop/cop/discourse/plugins/call_requires_plugin.rb b/lib/rubocop/cop/discourse/plugins/call_requires_plugin.rb
@@ -40,11 +40,11 @@ def requires_plugin_present_in_parent_classes(node)
           def base_controller_path(base_class)
             return if base_class.blank?
             base_path = "#{base_class.underscore}.rb"
-            path =
-              Pathname.new("#{processed_source.path}/../#{base_path}").cleanpath
-            until path.parent.root?
-              return path if path.exist?
-              path = path.join("../../#{base_path}")
+            path = Pathname.new("#{processed_source.path}/../").cleanpath
+            until path.root?
+              controller_path = path.join(base_path)
+              return controller_path if controller_path.exist?
+              path = path.join("..").cleanpath
             end
           end
         end

diff --git a/spec/fixtures/controllers/namespaced_parent_controller.rb b/spec/fixtures/controllers/namespaced_parent_controller.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class InheritFromOutsideController < MyPlugin::ApplicationController
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Discourse/Plugins/CallRequiresPlugin: Use `requires_plugin` in controllers to prevent routes from being accessible when plugin is disabled.
+end
diff --git a/spec/lib/rubocop/cop/plugins/call_requires_plugin_spec.rb b/spec/lib/rubocop/cop/plugins/call_requires_plugin_spec.rb
@@ -57,12 +57,24 @@ class MyController
     end
 
     context "when parent controller can’t be located" do
-      let(:controller) do
-        controllers_path.join("inherit_from_outside_controller.rb")
+      context "when parent controller is namespaced" do
+        let(:controller) do
+          controllers_path.join("namespaced_parent_controller.rb")
+        end
+
+        it "registers an offense" do
+          expect_offense(controller.read, controller.to_s)
+        end
       end
 
-      it "registers an offense" do
-        expect_offense(controller.read, controller.to_s)
+      context "when parent controller is not namespaced" do
+        let(:controller) do
+          controllers_path.join("inherit_from_outside_controller.rb")
+        end
+
+        it "registers an offense" do
+          expect_offense(controller.read, controller.to_s)
+        end
       end
     end
   end