Merge pull request #11105 from demarches-simplifiees/filter_less_dumb
ETQ instructeur: les filtres textes marchent avec des accents en moins, des espaces en trop, et ignore la case.
This commit is contained in:
commit
72ed54d104
3 changed files with 28 additions and 28 deletions
|
@ -29,10 +29,10 @@ module DossierFilteringConcern
|
||||||
}
|
}
|
||||||
|
|
||||||
scope :filter_ilike, lambda { |table, column, search_terms|
|
scope :filter_ilike, lambda { |table, column, search_terms|
|
||||||
safe_quoted_terms = search_terms.map { "%#{sanitize_sql_like(_1)}%" }
|
safe_quoted_terms = search_terms.map(&:strip).map { "%#{sanitize_sql_like(_1)}%" }
|
||||||
table_column = DossierFilterService.sanitized_column(table, column)
|
table_column = DossierFilterService.sanitized_column(table, column)
|
||||||
|
|
||||||
where("#{table_column} LIKE ANY (ARRAY[?])", safe_quoted_terms)
|
where("unaccent(#{table_column}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))", safe_quoted_terms)
|
||||||
}
|
}
|
||||||
|
|
||||||
def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q)
|
def sanitize_sql_like(q) = ActiveRecord::Base.sanitize_sql_like(q)
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
"type": "controller",
|
"type": "controller",
|
||||||
"class": "Users::DossiersController",
|
"class": "Users::DossiersController",
|
||||||
"method": "merci",
|
"method": "merci",
|
||||||
"line": 323,
|
"line": 297,
|
||||||
"file": "app/controllers/users/dossiers_controller.rb",
|
"file": "app/controllers/users/dossiers_controller.rb",
|
||||||
"rendered": {
|
"rendered": {
|
||||||
"name": "users/dossiers/merci",
|
"name": "users/dossiers/merci",
|
||||||
|
@ -170,29 +170,6 @@
|
||||||
],
|
],
|
||||||
"note": ""
|
"note": ""
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"warning_type": "SQL Injection",
|
|
||||||
"warning_code": 0,
|
|
||||||
"fingerprint": "afd2a1a41bd87fa62e065671670bd9bd8cc503ca4cbd3cfdb74a38a794146926",
|
|
||||||
"check_name": "SQL",
|
|
||||||
"message": "Possible SQL injection",
|
|
||||||
"file": "app/models/concerns/dossier_filtering_concern.rb",
|
|
||||||
"line": 35,
|
|
||||||
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
|
||||||
"code": "where(\"#{DossierFilterService.sanitized_column(table, column)} LIKE ANY (ARRAY[?])\", search_terms.map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)",
|
|
||||||
"render_path": null,
|
|
||||||
"location": {
|
|
||||||
"type": "method",
|
|
||||||
"class": "DossierFilteringConcern",
|
|
||||||
"method": null
|
|
||||||
},
|
|
||||||
"user_input": "DossierFilterService.sanitized_column(table, column)",
|
|
||||||
"confidence": "Medium",
|
|
||||||
"cwe_id": [
|
|
||||||
89
|
|
||||||
],
|
|
||||||
"note": "The table and column are escaped, which should make this safe"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"warning_type": "Cross-Site Scripting",
|
"warning_type": "Cross-Site Scripting",
|
||||||
"warning_code": 2,
|
"warning_code": 2,
|
||||||
|
@ -247,8 +224,31 @@
|
||||||
79
|
79
|
||||||
],
|
],
|
||||||
"note": "Current is not a model"
|
"note": "Current is not a model"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"warning_type": "SQL Injection",
|
||||||
|
"warning_code": 0,
|
||||||
|
"fingerprint": "fc12551e83eab01e5955c73470bb1fc30b6642bd39750ba4aa9f0fe6ef4d6522",
|
||||||
|
"check_name": "SQL",
|
||||||
|
"message": "Possible SQL injection",
|
||||||
|
"file": "app/models/concerns/dossier_filtering_concern.rb",
|
||||||
|
"line": 35,
|
||||||
|
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
|
||||||
|
"code": "where(\"unaccent(#{DossierFilterService.sanitized_column(table, column)}) ILIKE ANY (ARRAY((SELECT unaccent(unnest(ARRAY[?])))))\", search_terms.map(&:strip).map do\n \"%#{sanitize_sql_like(_1)}%\"\n end)",
|
||||||
|
"render_path": null,
|
||||||
|
"location": {
|
||||||
|
"type": "method",
|
||||||
|
"class": "DossierFilteringConcern",
|
||||||
|
"method": null
|
||||||
|
},
|
||||||
|
"user_input": "DossierFilterService.sanitized_column(table, column)",
|
||||||
|
"confidence": "Medium",
|
||||||
|
"cwe_id": [
|
||||||
|
89
|
||||||
|
],
|
||||||
|
"note": "The table and column are escaped, which should make this safe"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"updated": "2024-11-12 17:33:07 +0100",
|
"updated": "2024-12-02 21:04:14 +0100",
|
||||||
"brakeman_version": "6.1.2"
|
"brakeman_version": "6.1.2"
|
||||||
}
|
}
|
||||||
|
|
|
@ -443,7 +443,7 @@ describe DossierFilterService do
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'for type_de_champ table' do
|
context 'for type_de_champ table' do
|
||||||
let(:filter) { [type_de_champ.libelle, 'keep'] }
|
let(:filter) { [type_de_champ.libelle, ' Kéep '] } # add space / case / accent
|
||||||
|
|
||||||
let(:kept_dossier) { create(:dossier, procedure:) }
|
let(:kept_dossier) { create(:dossier, procedure:) }
|
||||||
let(:discarded_dossier) { create(:dossier, procedure:) }
|
let(:discarded_dossier) { create(:dossier, procedure:) }
|
||||||
|
|
Loading…
Reference in a new issue