Fix High Risk Security Vulnerabilities

.gitignore

@@ -8,6 +8,7 @@ config/database.yml
 config/auth.yml
 config/ci.yml
 config/settings.local.yml
+config/initializers/secret_token.rb
 .bundle
 db/*.sqlite3
 log/*.log

Gemfile

@@ -4,7 +4,9 @@ ruby '~> 2.3.1'
 
 gem 'acts-as-taggable-on'
 gem 'airbrake', '~> 4.3.8'
+gem 'brakeman'
 gem 'bourbon'
+gem 'brakeman'
 gem 'choices'
 gem 'daemons'
 gem 'delayed_job_active_record'

Gemfile.lock

@@ -1,38 +1,37 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.7)
-      actionpack (= 4.2.7)
-      actionview (= 4.2.7)
-      activejob (= 4.2.7)
+    actionmailer (4.2.10)
+      actionpack (= 4.2.10)
+      actionview (= 4.2.10)
+      activejob (= 4.2.10)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.7)
-      actionview (= 4.2.7)
-      activesupport (= 4.2.7)
+    actionpack (4.2.10)
+      actionview (= 4.2.10)
+      activesupport (= 4.2.10)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.7)
-      activesupport (= 4.2.7)
+    actionview (4.2.10)
+      activesupport (= 4.2.10)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.7)
-      activesupport (= 4.2.7)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (4.2.10)
+      activesupport (= 4.2.10)
       globalid (>= 0.3.0)
-    activemodel (4.2.7)
-      activesupport (= 4.2.7)
+    activemodel (4.2.10)
+      activesupport (= 4.2.10)
       builder (~> 3.1)
-    activerecord (4.2.7)
-      activemodel (= 4.2.7)
-      activesupport (= 4.2.7)
+    activerecord (4.2.10)
+      activemodel (= 4.2.10)
+      activesupport (= 4.2.10)
       arel (~> 6.0)
-    activesupport (4.2.7)
+    activesupport (4.2.10)
       i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
@@ -42,7 +41,7 @@ GEM
     airbrake (4.3.8)
       builder
       multi_json
-    arel (6.0.3)
+    arel (6.0.4)
     autoprefixer-rails (6.3.7)
       execjs
     awesome_print (1.7.0)
@@ -57,7 +56,8 @@ GEM
     bourbon (4.2.7)
       sass (~> 3.4)
       thor (~> 0.19)
-    builder (3.2.2)
+    brakeman (4.3.1)
+    builder (3.2.3)
     capybara (2.7.1)
       addressable
       mime-types (>= 1.16)
@@ -82,7 +82,7 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.10.0)
-    concurrent-ruby (1.0.2)
+    concurrent-ruby (1.0.5)
     cookiejar (0.3.3)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
@@ -146,8 +146,8 @@ GEM
     foreman (0.82.0)
       thor (~> 0.19.1)
     formatador (0.2.5)
-    globalid (0.3.6)
-      activesupport (>= 4.1.0)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
     guard (2.14.0)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
@@ -207,7 +207,7 @@ GEM
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     jshint_on_rails (1.0.3)
-    json (1.8.6)
+    json (2.1.0)
     jwt (1.5.6)
     kgio (2.10.0)
     kramdown (1.11.1)
@@ -225,12 +225,13 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.0.10)
-    mail (2.6.4)
-      mime-types (>= 1.16, < 4)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
     method_source (0.8.2)
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
+    mini_mime (1.0.0)
     mini_portile2 (2.3.0)
     minitest (5.11.3)
     multi_json (1.13.1)
@@ -281,21 +282,21 @@ GEM
       pry (>= 0.9.10)
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
-    rack (1.6.9)
+    rack (1.6.10)
     rack-protection (1.5.5)
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.2.7)
-      actionmailer (= 4.2.7)
-      actionpack (= 4.2.7)
-      actionview (= 4.2.7)
-      activejob (= 4.2.7)
-      activemodel (= 4.2.7)
-      activerecord (= 4.2.7)
-      activesupport (= 4.2.7)
+    rails (4.2.10)
+      actionmailer (= 4.2.10)
+      actionpack (= 4.2.10)
+      actionview (= 4.2.10)
+      activejob (= 4.2.10)
+      activemodel (= 4.2.10)
+      activerecord (= 4.2.10)
+      activesupport (= 4.2.10)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.7)
+      railties (= 4.2.10)
       sprockets-rails
     rails-backbone (1.2.0)
       coffee-rails
@@ -315,9 +316,9 @@ GEM
       rails_stdout_logging
     rails_serve_static_assets (0.0.5)
     rails_stdout_logging (0.0.5)
-    railties (4.2.7)
-      actionpack (= 4.2.7)
-      activesupport (= 4.2.7)
+    railties (4.2.10)
+      actionpack (= 4.2.10)
+      activesupport (= 4.2.10)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     raindrops (0.16.0)
@@ -373,14 +374,14 @@ GEM
     spring (1.7.2)
     spring-commands-rspec (1.0.4)
       spring (>= 0.9.1)
-    sprockets (3.6.3)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.1.1)
+    sprockets-rails (3.2.1)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (0.19.1)
+    thor (0.19.4)
     thread_safe (0.3.6)
     tilt (2.0.8)
     timecop (0.8.1)
@@ -417,6 +418,7 @@ DEPENDENCIES
   better_errors
   bootstrap-sass
   bourbon
+  brakeman
   capybara
   capybara-webkit
   choices

README.md

@@ -227,6 +227,21 @@ like so:
 
 ## Deployment
 
+### Adding a secret token
+Before you can deploy this application you must provide a secret token in 
+`config/initializers/secret_token.rb`
+
+First execute `rake secret` and use it's result to replace the placeholder string in `secret_token.rb`.
+
+**Don't commit your secret to source control!**
+
+```ruby
+# config/initializers/secret_token.rb
+
+ProjectMonitor::Application.config.secret_token = "fill this in with the result of 'rake secret'"
+```
+
+
 ### Cloud Foundry
 ProjectMonitor requires a database that can handle more than 4 concurrent connections, otherwise occasional errors might pop up.
 

app/controllers/application_controller.rb

@@ -1,4 +1,4 @@
 class ApplicationController < ActionController::Base
   include IPWhitelistedController
-  protect_from_forgery
+  protect_from_forgery with: :exception
 end

app/controllers/projects_controller.rb

@@ -25,7 +25,7 @@ def new
   end
 
   def create
-    klass = params[:project][:type].present? ? params[:project][:type].constantize : Project
+    klass = params[:project][:type].present? ? ProjectTypeHelper.find_type(params[:project][:type]) : Project
     @project = klass.new(project_params)
     @project.creator = current_user
     if @project.save
@@ -49,7 +49,7 @@ def update
     Project.transaction do
       old_class = @project.class
       if params[:project][:type] && @project.type != params[:project][:type]
-        @project = @project.becomes(params[:project][:type].constantize)
+        @project = @project.becomes(ProjectTypeHelper.find_type(params[:project][:type]))
         if project = Project.where(id: @project.id)
           project.update_all(type: params[:project][:type])
         end
@@ -78,7 +78,7 @@ def validate_build_info
     project_id = params[:project][:id]
     project = project_id.present? ?
       Project.find(project_id).tap { |p| p.assign_attributes(project_params) } :
-      params[:project][:type].constantize.new(project_params)
+      ProjectTypeHelper.find_type(params[:project][:type]).new(project_params)
 
     status_updater = StatusUpdater.new
     project_updater = ProjectUpdater.new(

app/helpers/project_type_helper.rb

@@ -0,0 +1,26 @@
+module ProjectTypeHelper
+  def self.find_type(type)
+    raise 'Invalid Project Type' unless valid_project_type?(type)
+
+    type.constantize
+  end
+
+  private
+
+  def self.valid_project_type?(type)
+    %w[
+      JenkinsProject
+      CruiseControlProject
+      SemaphoreProject
+      TeamCityProject
+      TeamCityRestProject
+      TravisProject
+      TravisProProject
+      TddiumProject
+      CircleCiProject
+      ConcourseV1Project
+      ConcourseProject
+      CodeshipProject
+   ].include?(type)
+  end
+end

spec/helpers/project_type_helper_spec.rb

@@ -0,0 +1,53 @@
+describe ProjectTypeHelper do
+  it 'raises error for invalid project type' do
+    expect {ProjectTypeHelper.find_type('InvalidType')}.to raise_error(/Invalid Project Type/)
+  end
+
+  it 'find_type JenkinsProject' do
+    expect(ProjectTypeHelper.find_type('JenkinsProject')).to eq(JenkinsProject)
+  end
+
+  it 'find_type CruiseControlProject' do
+    expect(ProjectTypeHelper.find_type('CruiseControlProject')).to eq(CruiseControlProject)
+  end
+
+  it 'find_type SemaphoreProject' do
+    expect(ProjectTypeHelper.find_type('SemaphoreProject')).to eq(SemaphoreProject)
+  end
+
+  it 'find_type TeamCityRestProject' do
+    expect(ProjectTypeHelper.find_type('TeamCityRestProject')).to eq(TeamCityRestProject)
+  end
+
+  it 'find_type TeamCityProject' do
+    expect(ProjectTypeHelper.find_type('TeamCityProject')).to eq(TeamCityProject)
+  end
+
+  it 'find_type TravisProject' do
+    expect(ProjectTypeHelper.find_type('TravisProject')).to eq(TravisProject)
+  end
+
+  it 'find_type TravisProProject' do
+    expect(ProjectTypeHelper.find_type('TravisProProject')).to eq(TravisProProject)
+  end
+
+  it 'find_type TddiumProject' do
+    expect(ProjectTypeHelper.find_type('TddiumProject')).to eq(TddiumProject)
+  end
+
+  it 'find_type CircleCiProject' do
+    expect(ProjectTypeHelper.find_type('CircleCiProject')).to eq(CircleCiProject)
+  end
+
+  it 'find_type ConcourseV1Project' do
+    expect(ProjectTypeHelper.find_type('ConcourseV1Project')).to eq(ConcourseV1Project)
+  end
+
+  it 'find_type ConcourseProject' do
+    expect(ProjectTypeHelper.find_type('ConcourseProject')).to eq(ConcourseProject)
+  end
+
+  it 'find_type CodeshipProject' do
+    expect(ProjectTypeHelper.find_type('CodeshipProject')).to eq(CodeshipProject)
+  end
+end