mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-12 05:15:12 +08:00
727029a298
Moderators could bypass report visibility restrictions by using the CSV export endpoint to export admin-only reports like top_uploads. --- **Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-rhjf-mgqw-37wq
74 lines
2.2 KiB
Ruby
74 lines
2.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class ExportCsvController < ApplicationController
|
|
requires_login
|
|
skip_before_action :preload_json, :check_xhr, only: [:show]
|
|
|
|
def export_entity
|
|
entity = export_params[:entity]
|
|
entity_id = params.dig(:args, :export_user_id)&.to_i if entity == "user_archive"
|
|
guardian.ensure_can_export_entity!(entity, entity_id, export_params[:args])
|
|
raise Discourse::InvalidParameters.new(:entity) unless entity.is_a?(String) && entity.size < 100
|
|
|
|
(export_params[:args] || {}).each do |key, value|
|
|
unless value.is_a?(String) && value.size < 100
|
|
raise Discourse::InvalidParameters.new("args.#{key}")
|
|
end
|
|
end
|
|
|
|
if entity == "user_archive"
|
|
requesting_user_id = current_user.id if entity_id
|
|
|
|
# Rate limit user archive exports to 1 per day
|
|
unless current_user.admin ||
|
|
UserExport.where(
|
|
user_id: entity_id || current_user.id,
|
|
created_at: (Time.zone.now.all_day),
|
|
).count == 0
|
|
render_json_error I18n.t("csv_export.rate_limit_error")
|
|
return
|
|
end
|
|
|
|
Jobs.enqueue(
|
|
:export_user_archive,
|
|
user_id: entity_id || current_user.id,
|
|
requesting_user_id:,
|
|
args: export_params[:args],
|
|
)
|
|
else
|
|
Jobs.enqueue(
|
|
:export_csv_file,
|
|
entity: entity,
|
|
user_id: current_user.id,
|
|
args: export_params[:args],
|
|
)
|
|
end
|
|
StaffActionLogger.new(current_user).log_entity_export(entity)
|
|
render json: success_json
|
|
rescue Discourse::InvalidAccess
|
|
render_json_error I18n.t("csv_export.rate_limit_error")
|
|
end
|
|
|
|
def latest_user_archive
|
|
user_id = params[:user_id].to_i
|
|
# If we can't export the entity, we shouldn't be able to see it either
|
|
guardian.ensure_can_export_entity!("user_archive", user_id)
|
|
|
|
render json:
|
|
UserExport
|
|
.where(user_id:)
|
|
.where("created_at > ?", UserExport::DESTROY_CREATED_BEFORE.ago)
|
|
.order(created_at: :desc)
|
|
.first
|
|
end
|
|
|
|
private
|
|
|
|
def export_params
|
|
@_export_params ||=
|
|
begin
|
|
params.require(:entity)
|
|
params.permit(:entity, args: [*Report::FILTERS, *UserHistory.staff_filters]).to_h
|
|
end
|
|
end
|
|
end
|
