From 1a19fe1dc0b35bae66b960e2d8da79d5e3ed95dc Mon Sep 17 00:00:00 2001
From: Jens Kraemer <jk@jkraemer.net>
Date: Mon, 12 Apr 2021 14:04:55 +0800
Subject: [PATCH 4/5] use sanitize_sql_like in Query#sql_contains

---
 app/models/query.rb     |  1 +
 test/unit/query_test.rb | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/app/models/query.rb b/app/models/query.rb
index 231ded24b..1a30b1370 100644
--- a/app/models/query.rb
+++ b/app/models/query.rb
@@ -1429,6 +1429,7 @@ class Query < ActiveRecord::Base
     prefix = '%' if options[:ends_with]
     suffix = '%' if options[:starts_with]
     prefix = suffix = '%' if prefix.nil? && suffix.nil?
+    value = queried_class.sanitize_sql_like value
     queried_class.send(
       :sanitize_sql_for_conditions,
       [Redmine::Database.like(db_field, '?', :match => options[:match]), "#{prefix}#{value}#{suffix}"])
diff --git a/test/unit/query_test.rb b/test/unit/query_test.rb
index 75efaae8a..5beec07b4 100644
--- a/test/unit/query_test.rb
+++ b/test/unit/query_test.rb
@@ -2654,4 +2654,19 @@ class QueryTest < ActiveSupport::TestCase
     # Non-paginated issue ids and paginated issue ids should be in the same order.
     assert_equal issue_ids, paginated_issue_ids
   end
+
+  def test_sql_contains_should_escape_value
+    i = Issue.generate! subject: 'Sanitize test'
+    query = IssueQuery.new(:project => nil, :name => '_')
+    query.add_filter('subject', '~', ['te%t'])
+    assert_equal 0, query.issue_count
+
+    i.update_column :subject, 'Sanitize te%t'
+    assert_equal 1, query.issue_count
+
+    i.update_column :subject, 'Sanitize te_t'
+    query = IssueQuery.new(:project => nil, :name => '_')
+    query.add_filter('subject', '~', ['te_t'])
+    assert_equal 1, query.issue_count
+  end
 end
-- 
2.20.1