Merge pull request #13632 from rioug/security-247-code-injection

[security] Fix potential code injection
2026-02-06 22:36:07 +00:00 · 2025-11-05 16:34:37 +11:00
parent 30c0bcc910 bd0db57768
commit 8e5fac9fb3
2 changed files with 23 additions and 5 deletions
--- a/app/controllers/spree/admin/payment_methods_controller.rb
+++ b/app/controllers/spree/admin/payment_methods_controller.rb
@@ -10,6 +10,12 @@ module Spree

      respond_to :html

+      PAYMENT_METHODS = %w{
+        Spree::PaymentMethod::Check
+        Spree::Gateway::PayPalExpress
+        Spree::Gateway::StripeSCA
+      }.index_with(&:constantize).freeze
+
      def create
        force_environment

@@ -89,8 +95,9 @@ module Spree
            @payment_method = PaymentMethod.find(params[:pm_id])
          end
        else
-          @payment_method = params[:provider_type].constantize.new
+          @payment_method = PAYMENT_METHODS.fetch(params[:provider_type], PaymentMethod).new
        end
+
        render partial: 'provider_settings'
      end

--- a/spec/controllers/spree/admin/payment_methods_controller_spec.rb
+++ b/spec/controllers/spree/admin/payment_methods_controller_spec.rb
@@ -230,7 +230,7 @@ RSpec.describe Spree::Admin::PaymentMethodsController do
    end
  end

-  context "Requesting provider preference fields" do
+  describe "#show_provider_preferences" do
    let(:enterprise) { create(:distributor_enterprise) }
    let(:user) do
      new_user = create(:user, email: 'enterprise@hub.com', password: 'blahblah',
@@ -244,7 +244,7 @@ RSpec.describe Spree::Admin::PaymentMethodsController do
      allow(controller).to receive_messages spree_current_user: user
    end

-    context "on an existing payment method" do
+    context "with an existing payment method" do
      let(:payment_method) { create(:payment_method) }

      context "where I have permission" do
@@ -273,7 +273,7 @@ RSpec.describe Spree::Admin::PaymentMethodsController do
        end
      end

-      context "where I do not have permission" do
+      context "when I do not have permission" do
        before do
          payment_method.distributors = []
        end
@@ -288,7 +288,7 @@ RSpec.describe Spree::Admin::PaymentMethodsController do
      end
    end

-    context "on a new payment method" do
+    context "with a new payment method" do
      it "renders provider settings with a new payment method of type" do
        spree_get :show_provider_preferences,
                  pm_id: "",
@@ -296,6 +296,17 @@ RSpec.describe Spree::Admin::PaymentMethodsController do
        expect(assigns(:payment_method)).to be_a_new Spree::Gateway::PayPalExpress
        expect(response).to render_template partial: '_provider_settings'
      end
+
+      context "with a non valid payment method" do
+        it "renders provider settings with a new generic payment method" do
+          spree_get :show_provider_preferences,
+                    pm_id: "",
+                    provider_type: "Spree::Gateway::Hacked"
+
+          expect(assigns(:payment_method)).to be_a_new Spree::PaymentMethod
+          expect(response).to render_template partial: '_provider_settings'
+        end
+      end
    end
  end
 end