diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2021-10-03 19:43:19 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2021-10-03 19:43:19 +0000 |
| commit | 65f31d52cdd612407200f6af9045fa682345fab8 (patch) | |
| tree | e6609c75d35e4b2653fa59c36219c94257bc5bc0 | |
| parent | 673ec2f2a65541276436b5cf00d133b3f51a4980 (diff) | |
| download | redmine-65f31d52cdd612407200f6af9045fa682345fab8.tar.gz redmine-65f31d52cdd612407200f6af9045fa682345fab8.zip | |
Use sanitize_sql_like on search tokens (#35073).
Patch by Jens Krämer.
git-svn-id: http://svn.redmine.org/redmine/trunk@21230 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb | 2 | ||||
| -rw-r--r-- | test/unit/search_test.rb | 24 |
2 files changed, 25 insertions, 1 deletions
diff --git a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb index d8fd38447..871f39ef3 100644 --- a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb +++ b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb @@ -155,7 +155,7 @@ module Redmine def search_tokens_condition(columns, tokens, all_words) token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"} sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ') - [sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort] + [sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort] end private :search_tokens_condition diff --git a/test/unit/search_test.rb b/test/unit/search_test.rb index 532dff299..ae83ed28a 100644 --- a/test/unit/search_test.rb +++ b/test/unit/search_test.rb @@ -150,6 +150,30 @@ class SearchTest < ActiveSupport::TestCase assert_include issue, r end + def test_search_should_not_allow_like_injection + issue = Issue.generate!(:subject => "asdf") + + r = Issue.search_results('as_f') + assert_not_include issue, r + + r = Issue.search_results('as%f') + assert_not_include issue, r + end + + def test_search_should_find_underscore + issue = Issue.generate!(:subject => "as_f") + + r = Issue.search_results('as_f') + assert_include issue, r + end + + def test_search_should_find_percent_sign + issue = Issue.generate!(:subject => "as%f") + + r = Issue.search_results('as%f') + assert_include issue, r + end + def test_search_should_be_case_insensitive_with_accented_characters unless sqlite? issue1 = Issue.generate!(:subject => "Special chars: ÖÖ") |