forgive accent in query

2024-11-30 12:51:28 +01:00 · 2024-11-30 12:51:28 +01:00 · 169e2659e1
commit 169e2659e1
parent 6da717a2b9
3 changed files with 27 additions and 27 deletions
--- a/app/models/concerns/dossier_filtering_concern.rb
+++ b/app/models/concerns/dossier_filtering_concern.rb
@ -32,7 +32,7 @@ module DossierFilteringConcern
      safe_quoted_terms = search_terms.map(&:strip).map { "%#{sanitize_sql_like(_1)}%" }
      table_column = DossierFilterService.sanitized_column(table, column)

-      where("#{table_column} ILIKE ANY (ARRAY[?])", safe_quoted_terms)
+      where("unaccent(#{table_column}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))", safe_quoted_terms)
    }

    def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q)
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@ -15,7 +15,7 @@
          "type": "controller",
          "class": "Users::DossiersController",
          "method": "merci",
-          "line": 323,
+          "line": 297,
          "file": "app/controllers/users/dossiers_controller.rb",
          "rendered": {
            "name": "users/dossiers/merci",
@ -170,29 +170,6 @@
      ],
      "note": ""
    },
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "afd2a1a41bd87fa62e065671670bd9bd8cc503ca4cbd3cfdb74a38a794146926",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/models/concerns/dossier_filtering_concern.rb",
-      "line": 35,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "where(\"#{DossierFilterService.sanitized_column(table, column)} LIKE ANY (ARRAY[?])\", search_terms.map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "DossierFilteringConcern",
-        "method": null
-      },
-      "user_input": "DossierFilterService.sanitized_column(table, column)",
-      "confidence": "Medium",
-      "cwe_id": [
-        89
-      ],
-      "note": "The table and column are escaped, which should make this safe"
-    },
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 2,
@ -247,8 +224,31 @@
        79
      ],
      "note": "Current is not a model"
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "fc12551e83eab01e5955c73470bb1fc30b6642bd39750ba4aa9f0fe6ef4d6522",
+      "check_name": "SQL",
+      "message": "Possible SQL injection",
+      "file": "app/models/concerns/dossier_filtering_concern.rb",
+      "line": 35,
+      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "where(\"unaccent(#{DossierFilterService.sanitized_column(table, column)}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))\", search_terms.map(&:strip).map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "DossierFilteringConcern",
+        "method": null
+      },
+      "user_input": "DossierFilterService.sanitized_column(table, column)",
+      "confidence": "Medium",
+      "cwe_id": [
+        89
+      ],
+      "note": "The table and column are escaped, which should make this safe"
    }
  ],
-  "updated": "2024-11-12 17:33:07 +0100",
+  "updated": "2024-12-02 21:04:14 +0100",
  "brakeman_version": "6.1.2"
 }
--- a/spec/services/dossier_filter_service_spec.rb
+++ b/spec/services/dossier_filter_service_spec.rb
@ -443,7 +443,7 @@ describe DossierFilterService do
    end

    context 'for type_de_champ table' do
-      let(:filter) { [type_de_champ.libelle, ' Keep '] }
+      let(:filter) { [type_de_champ.libelle, ' Kéep '] } # add space / case / accent

      let(:kept_dossier) { create(:dossier, procedure:) }
      let(:discarded_dossier) { create(:dossier, procedure:) }