Merge pull request #42 from uclibs/feature/samvera-deprecated#319-sam…

…vera-deprecated#318-samvera-deprecated#316-samvera-deprecated#320-hailstorm-fixes

Fix Hailstorm vulnerabilities

app/controllers/catalog_controller.rb

@@ -23,6 +23,7 @@ class CatalogController < ApplicationController
   CatalogController.solr_search_params_logic += [:show_only_works]
   CatalogController.solr_search_params_logic += [:show_only_editors]
   before_filter :agreed_to_terms_of_service!
+  before_filter :check_parameters?
 
   skip_before_filter :default_html_head
 
@@ -342,6 +343,14 @@ def self.search_config
     config.spell_max = 5
   end
 
+    def check_parameters?(params_to_check=[:page, :per_page])
+      params_to_check.each do |param|
+        render(:file => File.join(Rails.root, 'public/404.html'), :status => 404) unless params[param].to_i.to_s == params[param] or params[param].nil?
+        render(:file => File.join(Rails.root, 'public/404.html'), :status => 404) unless params[param].to_i < 1000
+      end
+      render(:file => File.join(Rails.root, 'public/404.html'), :status => 404) unless params[:q].nil? or params[:q].length < 1000
+    end
+
   protected
 
     # Override Hydra::PolicyAwareAccessControlsEnforcement
@@ -416,4 +425,6 @@ def exclude_class_filter(klass)
       '-' + ActiveFedora::SolrService.construct_query_for_rel(has_model:
                                                         klass.to_class_uri)
     end
+
+
 end

lib/tasks/embargo_manager.rake

@@ -4,7 +4,7 @@ namespace :embargomanager do
     solr_results = ActiveFedora::SolrService.query( 'embargo_release_date_dtsi:[* TO *]' )
     solr_results.each do |work|
       if Date.parse(work['embargo_release_date_dtsi']) <= Date.today
-      	Sufia.queue.push(EmbargoWorker.new(work['id']))
+        Sufia.queue.push(EmbargoWorker.new(work['id']))
         receiver = work['depositor_tesim']
         mail_contents = work['desc_metadata__title_tesim']
         EmbargoMailer.notify(receiver, mail_contents).deliver

spec/controllers/catalog_controller_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe CatalogController do
-
+  
   describe "when logged in" do
     let(:user) { FactoryGirl.create(:user) }
     let!(:work1) { FactoryGirl.create(:generic_work, user: user) }
@@ -21,7 +21,7 @@
       it "should return just my works" do
         get 'index', works: 'mine'
         response.should be_successful
-        assigns(:document_list).map(&:id).should == [work1.id]
+          assigns(:document_list).map(&:id).should == [work1.id]
       end
     end
 
@@ -75,6 +75,5 @@
         assigns(:document_list).map(&:id).should include(work2.id)
       end
     end
-
   end
 end

spec/features/catalog_search_spec.rb

@@ -5,6 +5,35 @@
   describe_options[:js] = true
 end
 
+describe "Visit the catalog index page" do
+  context "when the per_page parameter is out of range" do
+    it "returns a custom error page" do
+      visit ('/catalog?per_page=1000')
+      expect(page).to have_content("The page you were looking for doesn't exist")
+    end
+  end
+end
+
+describe "Visit the catalog index page" do
+  context "when the page parameter is out of range" do
+    it "returns a custom error page" do
+      visit ('/catalog?page=1000')
+      expect(page).to have_content("The page you were looking for doesn't exist")
+    end
+  end
+end
+
+describe "Visit the catalog index page" do
+  context "when the q parameter is out of range" do
+    it "returns a custom error page" do
+      long_string = ""
+      250.times{long_string << "test"}
+      visit ("/catalog?q=#{long_string}")
+      expect(page).to have_content("The page you were looking for doesn't exist")
+    end
+  end
+end
+
 describe 'catalog search', describe_options do
   before do
     Rails.configuration.consider_all_requests_local = true