Merge pull request #617 from sgmap/fix_sql_injections

Fix SQL injections

app/controllers/admin/accompagnateurs_controller.rb

@@ -12,7 +12,7 @@ class Admin::AccompagnateursController < AdminController
       array: true
 
     not_assign_scope = current_administrateur.gestionnaires.where.not(id: assign_scope.ids)
-    not_assign_scope = not_assign_scope.where("email LIKE '%#{params[:filter]}%'") if params[:filter]
+    not_assign_scope = not_assign_scope.where("email LIKE ?", "%#{params[:filter]}%") if params[:filter]
 
     @accompagnateurs_not_assign = smart_listing_create :accompagnateurs_not_assign,
       not_assign_scope,

app/controllers/admin/procedures_controller.rb

@@ -192,7 +192,7 @@ class Admin::ProceduresController < AdminController
                      .joins(', procedures')
                      .where("procedures.id = procedure_paths.procedure_id")
                      .where("procedures.archived_at" => nil)
-                     .where("path LIKE '%#{params[:request]}%'")
+                     .where("path LIKE ?", "%#{params[:request]}%")
                      .pluck(:path, :administrateur_id)
                      .inject([]) {
                |acc, value| acc.push({label: value.first, mine: value.second == current_administrateur.id})

spec/controllers/admin/procedures_controller_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'uri'
 
 describe Admin::ProceduresController, type: :controller do
   let(:admin) { create(:administrateur) }
@@ -476,7 +477,7 @@ describe Admin::ProceduresController, type: :controller do
         subject
       end
 
-      subject { get :path_list, params: {request: procedure2.path} }
+      subject { get :path_list, params: { request: URI.encode(procedure2.path) } }
 
       it { expect(response.status).to eq(200) }
       it { expect(body.size).to eq(1) }