diff options
| author | Hiroyuki Sato <sathiroyuki@gmail.com> | 2017-08-26 22:32:55 +0900 |
|---|---|---|
| committer | Hiroyuki Sato <sathiroyuki@gmail.com> | 2017-08-26 22:32:55 +0900 |
| commit | 866aab7f2a92f9929a5c5811d3d3c23c11184b26 (patch) | |
| tree | 7ea024ee7d908aedae9d3576e9c09fad55c74844 | |
| parent | 9e203582b367a1b84035572261a79b62e22bfeaa (diff) | |
| download | gitlab-ce-866aab7f2a92f9929a5c5811d3d3c23c11184b26.tar.gz | |
Fix escape characters was not sanitized
| -rw-r--r-- | lib/gitlab/sql/pattern.rb | 9 | ||||
| -rw-r--r-- | spec/lib/gitlab/sql/pattern_spec.rb | 24 |
2 files changed, 31 insertions, 2 deletions
diff --git a/lib/gitlab/sql/pattern.rb b/lib/gitlab/sql/pattern.rb index 47ea19994a2..46c973d8a11 100644 --- a/lib/gitlab/sql/pattern.rb +++ b/lib/gitlab/sql/pattern.rb @@ -11,9 +11,9 @@ module Gitlab def to_sql if exact_matching? - query + sanitized_query else - "%#{query}%" + "%#{sanitized_query}%" end end @@ -24,6 +24,11 @@ module Gitlab def partial_matching? @query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING end + + def sanitized_query + # Note: ActiveRecord::Base.sanitize_sql_like is a protected method + ActiveRecord::Base.__send__(:sanitize_sql_like, query) + end end end end diff --git a/spec/lib/gitlab/sql/pattern_spec.rb b/spec/lib/gitlab/sql/pattern_spec.rb index cbafe36de06..d0412f37098 100644 --- a/spec/lib/gitlab/sql/pattern_spec.rb +++ b/spec/lib/gitlab/sql/pattern_spec.rb @@ -12,6 +12,14 @@ describe Gitlab::SQL::Pattern do end end + context 'when a query with a escape character is shorter than 3 chars' do + let(:query) { '_2' } + + it 'returns sanitized exact matching pattern' do + expect(to_sql).to eq('\_2') + end + end + context 'when a query is equal to 3 chars' do let(:query) { '123' } @@ -20,6 +28,14 @@ describe Gitlab::SQL::Pattern do end end + context 'when a query with a escape character is equal to 3 chars' do + let(:query) { '_23' } + + it 'returns partial matching pattern' do + expect(to_sql).to eq('%\_23%') + end + end + context 'when a query is longer than 3 chars' do let(:query) { '1234' } @@ -27,5 +43,13 @@ describe Gitlab::SQL::Pattern do expect(to_sql).to eq('%1234%') end end + + context 'when a query with a escape character is longer than 3 chars' do + let(:query) { '_234' } + + it 'returns sanitized partial matching pattern' do + expect(to_sql).to eq('%\_234%') + end + end end end |