0002-use-sanitize_sql_like-on-search-tokens.patch

Jens Krämer, 2021-04-12 08:44

Download (2.34 KB)

View differences:

lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
155 155
          def search_tokens_condition(columns, tokens, all_words)
156 156
            token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"}
157 157
            sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ')
158
            [sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort]
158
            [sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort]
159 159
          end
160 160
          private :search_tokens_condition
161 161

  
test/unit/search_test.rb
150 150
    assert_include issue, r
151 151
  end
152 152

  
153
  def test_search_should_not_allow_like_injection
154
    issue = Issue.generate!(:subject => "asdf")
155

  
156
    r = Issue.search_results('as_f')
157
    assert_not_include issue, r
158

  
159
    r = Issue.search_results('as%f')
160
    assert_not_include issue, r
161
  end
162

  
163
  def test_search_should_find_underscore
164
    issue = Issue.generate!(:subject => "as_f")
165

  
166
    r = Issue.search_results('as_f')
167
    assert_include issue, r
168
  end
169

  
170
  def test_search_should_find_percent_sign
171
    issue = Issue.generate!(:subject => "as%f")
172

  
173
    r = Issue.search_results('as%f')
174
    assert_include issue, r
175
  end
176

  
153 177
  def test_search_should_be_case_insensitive_with_accented_characters
154 178
    unless sqlite?
155 179
      issue1 = Issue.generate!(:subject => "Special chars: ÖÖ")
156
-