rooty/fab-manager
1
0
Fork 0
mirror of https://github.com/LaCasemate/fab-manager.git synced 2025-01-29 18:52:22 +01:00
Code Issues Releases Activity

[security] restrict allowed keys when creating/updating credits

Browse Source
This commit is contained in:
Sylvain 2021-02-24 11:11:18 +01:00
parent ca9ff11fd4
commit 120c9144bb
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -2,6 +2,7 @@
## Next release
- Fix a security issue: possible SQL injection when dropping the database
- Fix a security issue: restrict allowed keys when creating/updating credits
## v4.7.1 2021 February 24
- Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168)

2
app/controllers/api/credits_controller.rb
View File

@ -47,6 +47,6 @@ class API::CreditsController < API::ApiController
end
def credit_params
params.require(:credit).permit!
params.require(:credit).permit(:creditable_id, :creditable_type, :plan_id, :hours)
end
end