From 402f970bdcfab258fe7b8fde59127468fbbe652e Mon Sep 17 00:00:00 2001
From: Matijs van Zuijlen <matijs@matijs.net>
Date: Sun, 13 Oct 2024 12:15:54 +0200
Subject: [PATCH] Limit assigned attributes when creating and updating Notes

Using #permit! is unsafe and not necessary, since we have a fixed set of
attributes used in the notes form. Use #permit with a list of attribute
names instead.
---
 app/controllers/admin/notes_controller.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/controllers/admin/notes_controller.rb b/app/controllers/admin/notes_controller.rb
index c3ab98af..1104ee54 100644
--- a/app/controllers/admin/notes_controller.rb
+++ b/app/controllers/admin/notes_controller.rb
@@ -23,7 +23,7 @@ def create
     note = new_note
 
     note.state = "published"
-    note.attributes = params[:note].permit!
+    note.assign_attributes(note_params)
     note.text_filter ||= default_text_filter
     note.published_at ||= Time.zone.now
     if note.save
@@ -41,7 +41,7 @@ def create
   end
 
   def update
-    @note.attributes = params[:note].permit!
+    @note.assign_attributes(note_params)
     @note.save
     redirect_to admin_notes_url
   end
@@ -54,6 +54,15 @@ def destroy
 
   private
 
+  def note_params
+    params.require(:note).permit(:text_filter_name,
+                                 :body,
+                                 :push_to_twitter,
+                                 :in_reply_to_status_id,
+                                 :permalink,
+                                 :published_at)
+  end
+
   def load_existing_notes
     @notes = Note.page(params[:page]).per(this_blog.limit_article_display)
   end