fixed format-validation vulnerability for submitting phone number

uclibs · Sep 7, 2023 · 7f4f481 · 7f4f481
1 parent 6df60d8
commit 7f4f481
Show file tree

Hide file tree

Showing 5 changed files with 674 additions and 14 deletions.
diff --git a/Gemfile b/Gemfile
@@ -65,6 +65,7 @@ group :development, :test do
 end
 
 group :development do
+ gem 'brakeman', '~> 6.0'
  gem 'capistrano', '~> 3.17.1', require: false
  gem 'capistrano-bundler', '~> 1.6', require: false
  gem 'capistrano-rails', '~> 1.4', require: false
@@ -73,10 +74,10 @@ group :development do
  gem 'capistrano-rvm', require: false
  # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
  gem 'listen', '>= 3.0.5', '< 3.2'
- gem 'web-console', '>= 3.3.0'
  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
  gem 'spring'
  gem 'spring-watcher-listen', '~> 2.0.0'
+ gem 'web-console', '>= 3.3.0'
 end
 
 group :test do

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -65,7 +65,7 @@ GEM
  airbrussh (1.4.2)
  sshkit (>= 1.6.1, != 1.7.0)
  ast (2.4.2)
- autoprefixer-rails (10.4.13.0)
+ autoprefixer-rails (10.4.15.0)
  execjs (~> 2)
  base64 (0.1.1)
  bcrypt_pbkdf (1.1.0)
@@ -76,6 +76,7 @@ GEM
  autoprefixer-rails (>= 9.1.0)
  popper_js (>= 1.14.3, < 2)
  sassc-rails (>= 2.0.0)
+ brakeman (6.0.1)
  builder (3.2.4)
  byebug (11.1.3)
  capistrano (3.17.3)
@@ -139,8 +140,8 @@ GEM
  factory_bot (~> 6.2.0)
  railties (>= 5.0.0)
  ffi (1.15.5)
- globalid (1.1.0)
- activesupport (>= 5.0)
+ globalid (1.2.1)
+ activesupport (>= 6.1)
  htmlentities (4.3.4)
  i18n (1.14.1)
  concurrent-ruby (~> 1.0)
@@ -168,7 +169,7 @@ GEM
  matrix (0.4.2)
  method_source (1.0.0)
  mini_mime (1.1.5)
- minitest (5.19.0)
+ minitest (5.20.0)
  msgpack (1.7.2)
  mysql2 (0.5.5)
  net-imap (0.3.7)
@@ -196,7 +197,7 @@ GEM
  puma (3.12.6)
  racc (1.7.1)
  rack (2.2.8)
- rack-proxy (0.7.6)
+ rack-proxy (0.7.7)
  rack
  rack-test (2.1.0)
  rack (>= 1.3)
@@ -294,7 +295,7 @@ GEM
  sprockets (> 3.0)
  sprockets-rails
  tilt
- selenium-webdriver (4.11.0)
+ selenium-webdriver (4.12.0)
  rexml (~> 3.2, >= 3.2.5)
  rubyzip (>= 1.2.2, < 3.0)
  websocket (~> 1.0)
@@ -339,7 +340,7 @@ GEM
  uglifier (4.2.0)
  execjs (>= 0.3.0, < 3)
  unicode-display_width (2.4.2)
- web-console (4.2.0)
+ web-console (4.2.1)
  actionview (>= 6.0.0)
  activemodel (>= 6.0.0)
  bindex (>= 0.4.0)
@@ -364,6 +365,7 @@ DEPENDENCIES
  bcrypt_pbkdf
  bootsnap (>= 1.1.0)
  bootstrap (~> 4.4.1)
+ brakeman (~> 6.0)
  byebug
  capistrano (~> 3.17.1)
  capistrano-bundler (~> 1.6)

diff --git a/app/models/submitter.rb b/app/models/submitter.rb
@@ -5,7 +5,7 @@ class Submitter < ApplicationRecord
  validates :first_name, presence: true
  validates :last_name, presence: true
  validates :mailing_address, presence: true
- validates :phone_number, presence: true, format: { with: /\d{3}-\d{3}-\d{4}/, message: 'Please use the format 111-111-1111' }
+ validates :phone_number, presence: true, format: { with: /\A\d{3}-\d{3}-\d{4}\z/, message: 'Please use the format 111-111-1111' }
  validates :email_address, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP, message: 'Please enter a valid email' }
 
  def self.to_csv