forgive accent in query

This commit is contained in:
simon lehericey 2024-11-30 12:51:28 +01:00
parent 6da717a2b9
commit 169e2659e1
No known key found for this signature in database
GPG key ID: CDE670D827C7B3C5
3 changed files with 27 additions and 27 deletions

View file

@ -32,7 +32,7 @@ module DossierFilteringConcern
safe_quoted_terms = search_terms.map(&:strip).map { "%#{sanitize_sql_like(_1)}%" } safe_quoted_terms = search_terms.map(&:strip).map { "%#{sanitize_sql_like(_1)}%" }
table_column = DossierFilterService.sanitized_column(table, column) table_column = DossierFilterService.sanitized_column(table, column)
where("#{table_column} ILIKE ANY (ARRAY[?])", safe_quoted_terms) where("unaccent(#{table_column}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))", safe_quoted_terms)
} }
def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q) def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q)

View file

@ -15,7 +15,7 @@
"type": "controller", "type": "controller",
"class": "Users::DossiersController", "class": "Users::DossiersController",
"method": "merci", "method": "merci",
"line": 323, "line": 297,
"file": "app/controllers/users/dossiers_controller.rb", "file": "app/controllers/users/dossiers_controller.rb",
"rendered": { "rendered": {
"name": "users/dossiers/merci", "name": "users/dossiers/merci",
@ -170,29 +170,6 @@
], ],
"note": "" "note": ""
}, },
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "afd2a1a41bd87fa62e065671670bd9bd8cc503ca4cbd3cfdb74a38a794146926",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 35,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"#{DossierFilterService.sanitized_column(table, column)} LIKE ANY (ARRAY[?])\", search_terms.map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "DossierFilterService.sanitized_column(table, column)",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "The table and column are escaped, which should make this safe"
},
{ {
"warning_type": "Cross-Site Scripting", "warning_type": "Cross-Site Scripting",
"warning_code": 2, "warning_code": 2,
@ -247,8 +224,31 @@
79 79
], ],
"note": "Current is not a model" "note": "Current is not a model"
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
"fingerprint": "fc12551e83eab01e5955c73470bb1fc30b6642bd39750ba4aa9f0fe6ef4d6522",
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/concerns/dossier_filtering_concern.rb",
"line": 35,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "where(\"unaccent(#{DossierFilterService.sanitized_column(table, column)}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))\", search_terms.map(&:strip).map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)",
"render_path": null,
"location": {
"type": "method",
"class": "DossierFilteringConcern",
"method": null
},
"user_input": "DossierFilterService.sanitized_column(table, column)",
"confidence": "Medium",
"cwe_id": [
89
],
"note": "The table and column are escaped, which should make this safe"
} }
], ],
"updated": "2024-11-12 17:33:07 +0100", "updated": "2024-12-02 21:04:14 +0100",
"brakeman_version": "6.1.2" "brakeman_version": "6.1.2"
} }

View file

@ -443,7 +443,7 @@ describe DossierFilterService do
end end
context 'for type_de_champ table' do context 'for type_de_champ table' do
let(:filter) { [type_de_champ.libelle, ' Keep '] } let(:filter) { [type_de_champ.libelle, ' Kéep '] } # add space / case / accent
let(:kept_dossier) { create(:dossier, procedure:) } let(:kept_dossier) { create(:dossier, procedure:) }
let(:discarded_dossier) { create(:dossier, procedure:) } let(:discarded_dossier) { create(:dossier, procedure:) }