diff --git a/app/models/concerns/dossier_filtering_concern.rb b/app/models/concerns/dossier_filtering_concern.rb index f1f01a6cf..fcfff0fde 100644 --- a/app/models/concerns/dossier_filtering_concern.rb +++ b/app/models/concerns/dossier_filtering_concern.rb @@ -32,7 +32,7 @@ module DossierFilteringConcern safe_quoted_terms = search_terms.map(&:strip).map { "%#{sanitize_sql_like(_1)}%" } table_column = DossierFilterService.sanitized_column(table, column) - where("#{table_column} ILIKE ANY (ARRAY[?])", safe_quoted_terms) + where("unaccent(#{table_column}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))", safe_quoted_terms) } def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q) diff --git a/config/brakeman.ignore b/config/brakeman.ignore index d064270c1..af93d2bd7 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -15,7 +15,7 @@ "type": "controller", "class": "Users::DossiersController", "method": "merci", - "line": 323, + "line": 297, "file": "app/controllers/users/dossiers_controller.rb", "rendered": { "name": "users/dossiers/merci", @@ -170,29 +170,6 @@ ], "note": "" }, - { - "warning_type": "SQL Injection", - "warning_code": 0, - "fingerprint": "afd2a1a41bd87fa62e065671670bd9bd8cc503ca4cbd3cfdb74a38a794146926", - "check_name": "SQL", - "message": "Possible SQL injection", - "file": "app/models/concerns/dossier_filtering_concern.rb", - "line": 35, - "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", - "code": "where(\"#{DossierFilterService.sanitized_column(table, column)} LIKE ANY (ARRAY[?])\", search_terms.map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)", - "render_path": null, - "location": { - "type": "method", - "class": "DossierFilteringConcern", - "method": null - }, - "user_input": "DossierFilterService.sanitized_column(table, column)", - "confidence": "Medium", - "cwe_id": [ - 89 - ], - "note": "The table and column are escaped, which should make this safe" - }, { "warning_type": "Cross-Site Scripting", "warning_code": 2, @@ -247,8 +224,31 @@ 79 ], "note": "Current is not a model" + }, + { + "warning_type": "SQL Injection", + "warning_code": 0, + "fingerprint": "fc12551e83eab01e5955c73470bb1fc30b6642bd39750ba4aa9f0fe6ef4d6522", + "check_name": "SQL", + "message": "Possible SQL injection", + "file": "app/models/concerns/dossier_filtering_concern.rb", + "line": 35, + "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", + "code": "where(\"unaccent(#{DossierFilterService.sanitized_column(table, column)}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))\", search_terms.map(&:strip).map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)", + "render_path": null, + "location": { + "type": "method", + "class": "DossierFilteringConcern", + "method": null + }, + "user_input": "DossierFilterService.sanitized_column(table, column)", + "confidence": "Medium", + "cwe_id": [ + 89 + ], + "note": "The table and column are escaped, which should make this safe" } ], - "updated": "2024-11-12 17:33:07 +0100", + "updated": "2024-12-02 21:04:14 +0100", "brakeman_version": "6.1.2" } diff --git a/spec/services/dossier_filter_service_spec.rb b/spec/services/dossier_filter_service_spec.rb index 21b4bdeda..7a85e02ac 100644 --- a/spec/services/dossier_filter_service_spec.rb +++ b/spec/services/dossier_filter_service_spec.rb @@ -443,7 +443,7 @@ describe DossierFilterService do end context 'for type_de_champ table' do - let(:filter) { [type_de_champ.libelle, ' Keep '] } + let(:filter) { [type_de_champ.libelle, ' Kéep '] } # add space / case / accent let(:kept_dossier) { create(:dossier, procedure:) } let(:discarded_dossier) { create(:dossier, procedure:) }