diff options
author | Hiroyuki Sato <sathiroyuki@gmail.com> | 2017-08-26 22:32:55 +0900 |
---|---|---|
committer | Hiroyuki Sato <sathiroyuki@gmail.com> | 2017-08-26 22:32:55 +0900 |
commit | 866aab7f2a92f9929a5c5811d3d3c23c11184b26 (patch) | |
tree | 7ea024ee7d908aedae9d3576e9c09fad55c74844 /lib/gitlab/sql | |
parent | 9e203582b367a1b84035572261a79b62e22bfeaa (diff) | |
download | gitlab-ce-866aab7f2a92f9929a5c5811d3d3c23c11184b26.tar.gz |
Fix escape characters was not sanitized
Diffstat (limited to 'lib/gitlab/sql')
-rw-r--r-- | lib/gitlab/sql/pattern.rb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/gitlab/sql/pattern.rb b/lib/gitlab/sql/pattern.rb index 47ea19994a2..46c973d8a11 100644 --- a/lib/gitlab/sql/pattern.rb +++ b/lib/gitlab/sql/pattern.rb @@ -11,9 +11,9 @@ module Gitlab def to_sql if exact_matching? - query + sanitized_query else - "%#{query}%" + "%#{sanitized_query}%" end end @@ -24,6 +24,11 @@ module Gitlab def partial_matching? @query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING end + + def sanitized_query + # Note: ActiveRecord::Base.sanitize_sql_like is a protected method + ActiveRecord::Base.__send__(:sanitize_sql_like, query) + end end end end |