DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

fix: make enums filter work if champs.enums contains the searched value among others

Browse source
This commit is contained in:
simon lehericey 2024-11-12 17:39:31 +01:00
parent 50677e982c
commit 09793420fb
No known key found for this signature in database
GPG key ID: CDE670D827C7B3C5
4 changed files with 31 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/models/columns/champ_column.rb
View file

@ -37,7 +37,9 @@ class Columns::ChampColumn < Column
if type == :enum if type == :enum
relation.where(champs: { column => search_terms }).ids relation.where(champs: { column => search_terms }).ids
elsif type == :enums elsif type == :enums
relation.filter_array_enum(:champs, column, search_terms).ids # in a multiple drop down list, the value are stored as '["v1", "v2"]'
quoted_search_terms = search_terms.map { %{"#{_1}"} }
relation.filter_ilike(:champs, column, quoted_search_terms).ids
else else
relation.filter_ilike(:champs, column, search_terms).ids relation.filter_ilike(:champs, column, search_terms).ids
end end

6
app/models/concerns/dossier_filtering_concern.rb
View file

@ -35,12 +35,6 @@ module DossierFilteringConcern
where("#{table_column} LIKE ANY (ARRAY[?])", safe_quoted_terms) where("#{table_column} LIKE ANY (ARRAY[?])", safe_quoted_terms)
} }
scope :filter_array_enum, lambda { |table, column, values|
table_column = DossierFilterService.sanitized_column(table, column)
q = Array.new(values.count, "(#{table_column} = ?)").join(' OR ')
where(q, *(values. map { |value| "[\"#{value}\"]" }))
}
def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q) def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q)
end end
end end

25
config/brakeman.ignore
View file

@ -44,29 +44,6 @@
], ],
"note": "" "note": ""
}, },
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "5092b33433aef8fe42b688a780325f3791a77b39e55131256c78cebc3c14c0a3",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 46,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{values.count} OR #{\"(#{DossierFilterService.sanitized_column(table, column)} = ?)\"}\", *values.map do\n \"[\\\"#{value}\\\"]\"\n end)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "values.count",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "filtered by rails query params where(something: ?, values)"
},
{ {
"warning_type": "SQL Injection", "warning_type": "SQL Injection",
"warning_code": 0, "warning_code": 0,
@ -120,7 +97,7 @@
"check_name": "SQL", "check_name": "SQL",
"message": "Possible SQL injection", "message": "Possible SQL injection",
"file": "app/models/columns/json_path_column.rb", "file": "app/models/columns/json_path_column.rb",
"line": 24, "line": 26,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "dossiers.with_type_de_champ(stable_id).where(\"champs.value_json @? '#{jsonpath} ? (@ like_regex \\\"#{quote_string(search_terms.join(\"|\"))}\\\" flag \\\"i\\\")'\")", "code": "dossiers.with_type_de_champ(stable_id).where(\"champs.value_json @? '#{jsonpath} ? (@ like_regex \\\"#{quote_string(search_terms.join(\"|\"))}\\\" flag \\\"i\\\")'\")",
"render_path": null, "render_path": null,

32
spec/services/dossier_filter_service_spec.rb
View file

@ -510,20 +510,42 @@ describe DossierFilterService do
end end
context 'with enums type_de_champ' do context 'with enums type_de_champ' do
let(:filter) { [type_de_champ.libelle, 'Favorable'] } let(:filter) { [type_de_champ.libelle, search_term] }
let(:types_de_champ_public) { [{ type: :multiple_drop_down_list, options: ['Favorable', 'Defavorable'] }] } let(:types_de_champ_public) { [{ type: :multiple_drop_down_list, options: ['champ', 'champignon'] }] }
before do before do
kept_champ = kept_dossier.champs.find_by(stable_id: type_de_champ.stable_id) kept_champ = kept_dossier.champs.find_by(stable_id: type_de_champ.stable_id)
kept_champ.value = ['Favorable'] kept_champ.value = ['champ', 'champignon']
kept_champ.save! kept_champ.save!
discarded_champ = discarded_dossier.champs.find_by(stable_id: type_de_champ.stable_id) discarded_champ = discarded_dossier.champs.find_by(stable_id: type_de_champ.stable_id)
discarded_champ.value = ['Defavorable'] discarded_champ.value = ['champignon']
discarded_champ.save! discarded_champ.save!
end end
it { is_expected.to contain_exactly(kept_dossier.id) } context 'with single value' do
let(:search_term) { 'champ' }
it { is_expected.to contain_exactly(kept_dossier.id) }
end
context 'with multiple search values' do
let(:search_term) { 'champignon' }
it { is_expected.to contain_exactly(kept_dossier.id, discarded_dossier.id) }
end
context 'test if I could break a regex with %' do
let(:search_term) { '%' }
it { is_expected.to be_empty }
end
context 'test if I could break a regex with .' do
let(:search_term) { '.*' }
it { is_expected.to be_empty }
end
end end
end end