Security: Uniqueness validator with scope exposes all data

[assimovt]

There is an issue I've noticed with the gem, which exposes all data of the associated object when uniqueness validation with scope is used. What's interesting is that uniqueness validator has been disabled via initializer. You can find a sample rails app showing this issue here: https://github.com/assimovt/csv_uniqueness_issue To see it, just start the rails server. Could someone look at it? Thanks!

[tagliala]

@assimovt I'm aware of this issue and it is also stated in the readme:

https://github.com/DavyJonesLocker/client_side_validations#security

Client Side Validations comes with a uniqueness middleware. This can be a potential security issue, so the uniqueness validator is disabled by default. If you want to enable it, set the disabled_validators config variable in config/initializers/client_side_validations.rb:

ClientSideValidations::Config.disabled_validators = []
Note that the FormBuilder will automatically skip building validators that are disabled.

I would like this to bring this feature out of the main gem.

[assimovt]

I have it disabled, that's the point that it does not make difference, with it or without, still exposes data.

[tagliala]

Sorry, I will take a look asap

[assimovt]

👍

[tagliala]

Just found the source of the issue: https://github.com/DavyJonesLocker/client_side_validations/blob/master/lib/client_side_validations/active_model.rb#L90

The uniqueness validator passes { title: nil } as force parameter in this case, so we must check that if the validator is disabled before the switch statements

Please give a try to the master branch

Thanks for reporting this

[assimovt]

@tagliala Awesome, this fixes the issue. How about 4-2-stable, is it going to be updated? Or will you publish a new gem with this fix?

[tagliala]

@assimovt I'm going to merge 4-2-stable with master, release a new gem and backport this commit to 3-2-stable branch