[#2579] Protect against SQL injection on column and table in filtered_ids

2018-09-25 20:21:02 +02:00 · 2018-09-25 20:21:02 +02:00 · 1ac8840bc9
commit 1ac8840bc9
parent 670edc3279
1 changed files with 5 additions and 5 deletions
--- a/app/services/dossier_field_service.rb
+++ b/app/services/dossier_field_service.rb
@ -100,7 +100,7 @@ class DossierFieldService
    def sorted_ids(dossiers, procedure_presentation, gestionnaire)
      table = procedure_presentation.sort['table']
-      column = procedure_presentation.sort['column']
+      column = sanitized_column(procedure_presentation.sort)
      order = procedure_presentation.sort['order']
      assert_valid_order(order)
@ -117,23 +117,23 @@ class DossierFieldService
        end
      when 'self'
        return dossiers
-            .order("dossiers.#{column} #{order}")
+            .order("#{column} #{order}")
            .pluck(:id)
      when 'france_connect_information'
        return dossiers
            .includes(user: :france_connect_information)
-            .order("france_connect_informations.#{column} #{order}")
+            .order("#{column} #{order}")
            .pluck(:id)
      when 'type_de_champ', 'type_de_champ_private'
        return dossiers
            .includes(table == 'type_de_champ' ? :champs : :champs_private)
-            .where("champs.type_de_champ_id = #{column.to_i}")
+            .where("champs.type_de_champ_id = #{procedure_presentation.sort['column'].to_i}")
            .order("champs.value #{order}")
            .pluck(:id)
      else
        return dossiers
            .includes(table)
-            .order("#{table.pluralize}.#{column} #{order}")
+            .order("#{column} #{order}")
            .pluck(:id)
      end
    end