Skip to content

Commit cccc99c

Browse files
authored
Merge pull request #24024 from opf/vulnerability/sc-269-csrf-through-admin-import-jira-2-run-new-via-http-method-import-jira-id-run-new
[SC-269] Backport #23993 to v17.6
2 parents cf0b02c + 9dc0e81 commit cccc99c

4 files changed

Lines changed: 8 additions & 7 deletions

File tree

app/controllers/admin/import/jira/import_runs_controller.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ class ImportRunsController < ApplicationController
5151

5252
def show; end
5353

54-
def new
54+
def create
5555
jira = Import::Jira.find(params[:jira_id])
5656
jira_import = Import::JiraImport.create!(author_id: current_user.id, jira_id: jira.id)
5757
redirect_to(admin_import_jira_run_path(jira_id: jira.id, id: jira_import.id))

app/views/admin/import/jira/instances/show.html.erb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,8 @@ See COPYRIGHT and LICENSE files for more details.
6060
scheme: :primary,
6161
tag: :a,
6262
size: :medium,
63-
href: new_admin_import_jira_run_path(jira_id: @jira.id)
63+
href: admin_import_jira_run_index_path(jira_id: @jira.id),
64+
data: { turbo_method: :post }
6465
)
6566
) do |button|
6667
button.with_leading_visual_icon(icon: :plus)

config/routes.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -798,7 +798,7 @@
798798
member do
799799
delete :delete_token
800800
end
801-
resources :run, controller: "/admin/import/jira/import_runs", module: :jiras do
801+
resources :run, controller: "/admin/import/jira/import_runs", module: :jiras, except: [:new] do
802802
member do
803803
get :continue
804804
post :continue

spec/controllers/admin/import/jira/import_runs_controller_spec.rb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -87,8 +87,8 @@ def transition_to_state(jira_import, target_state)
8787
expect(response).to have_http_status(:forbidden)
8888
end
8989

90-
it "returns forbidden for GET #new" do
91-
get :new, params: { jira_id: jira.id }
90+
it "returns forbidden for POST #create" do
91+
post :create, params: { jira_id: jira.id }
9292
expect(response).to have_http_status(:forbidden)
9393
end
9494

@@ -132,10 +132,10 @@ def transition_to_state(jira_import, target_state)
132132
end
133133
end
134134

135-
describe "GET #new" do
135+
describe "POST #create" do
136136
it "creates a new jira import and redirects to show" do
137137
expect do
138-
get :new, params: { jira_id: jira.id }
138+
post :create, params: { jira_id: jira.id }
139139
end.to change(Import::JiraImport, :count).by(1)
140140

141141
new_import = Import::JiraImport.last

0 commit comments

Comments
 (0)