DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

[#2579] Fix injection SQL dans le filtrage instructeur

Browse source
This commit is contained in:
Frederic Merizen 2018-09-18 15:53:11 +02:00
parent 21d1788018
commit b8f88ece5c
2 changed files with 56 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
app/services/dossier_field_service.rb
View file

@ -62,7 +62,9 @@ class DossierFieldService
def filtered_ids(dossiers, filters) def filtered_ids(dossiers, filters)
filters.map do |filter| filters.map do |filter|
case filter['table'] table = filter['table']
column = sanitized_column(filter)
case table
when 'self' when 'self'
dossiers.where("? ILIKE ?", filter['column'], "%#{filter['value']}%") dossiers.where("? ILIKE ?", filter['column'], "%#{filter['value']}%")
@ -72,27 +74,26 @@ class DossierFieldService
.where("? ILIKE ?", "france_connect_informations.#{filter['column']}", "%#{filter['value']}%") .where("? ILIKE ?", "france_connect_informations.#{filter['column']}", "%#{filter['value']}%")
when 'type_de_champ', 'type_de_champ_private' when 'type_de_champ', 'type_de_champ_private'
relation = filter['table'] == 'type_de_champ' ? :champs : :champs_private relation = table == 'type_de_champ' ? :champs : :champs_private
dossiers dossiers
.includes(relation) .includes(relation)
.where("champs.type_de_champ_id = ?", filter['column'].to_i) .where("champs.type_de_champ_id = ?", filter['column'].to_i)
.where("champs.value ILIKE ?", "%#{filter['value']}%") .where("champs.value ILIKE ?", "%#{filter['value']}%")
when 'etablissement' when 'etablissement'
table = filter['table']
if filter['column'] == 'entreprise_date_creation' if filter['column'] == 'entreprise_date_creation'
date = filter['value'].to_date rescue nil date = filter['value'].to_date rescue nil
dossiers dossiers
.includes(table) .includes(table)
.where("#{table.pluralize}.#{filter['column']} = ?", date) .where("#{column} = ?", date)
else else
dossiers dossiers
.includes(table) .includes(table)
.where("#{table.pluralize}.#{filter['column']} ILIKE ?", "%#{filter['value']}%") .where("#{column} ILIKE ?", "%#{filter['value']}%")
end end
when 'user' when 'user'
dossiers dossiers
.includes(filter['table']) .includes(table)
.where("#{filter['table'].pluralize}.#{filter['column']} ILIKE ?", "%#{filter['value']}%") .where("#{column} ILIKE ?", "%#{filter['value']}%")
end.pluck(:id) end.pluck(:id)
end.reduce(:&) end.reduce(:&)
end end
@ -138,6 +139,14 @@ class DossierFieldService
private private
def sanitized_column(field)
table = field['table']
table = ActiveRecord::Base.connection.quote_column_name((table == 'self' ? 'dossier' : table).pluralize)
column = ActiveRecord::Base.connection.quote_column_name(field['column'])
table + '.' + column
end
def field_hash(label, table, column) def field_hash(label, table, column)
{ {
'label' => label, 'label' => label,

41
spec/services/dossier_field_service_spec.rb
View file

@ -2,7 +2,37 @@ require 'spec_helper'
describe DossierFieldService do describe DossierFieldService do
describe '#filtered_ids' do describe '#filtered_ids' do
let(:procedure) { create(:procedure) } let(:procedure) { create(:procedure, :with_type_de_champ, :with_type_de_champ_private) }
context 'for type_de_champ table' do
let(:kept_dossier) { create(:dossier, procedure: procedure) }
let(:discarded_dossier) { create(:dossier, procedure: procedure) }
let(:type_de_champ) { procedure.types_de_champ.first }
before do
type_de_champ.champ.create(dossier: kept_dossier, value: 'keep me')
type_de_champ.champ.create(dossier: discarded_dossier, value: 'discard me')
end
subject { described_class.filtered_ids(procedure.dossiers, [{ 'table' => 'type_de_champ', 'column' => type_de_champ.id, 'value' => 'keep' }]) }
it { is_expected.to contain_exactly(kept_dossier.id) }
end
context 'for type_de_champ_private table' do
let(:kept_dossier) { create(:dossier, procedure: procedure) }
let(:discarded_dossier) { create(:dossier, procedure: procedure) }
let(:type_de_champ_private) { procedure.types_de_champ_private.first }
before do
type_de_champ_private.champ.create(dossier: kept_dossier, value: 'keep me')
type_de_champ_private.champ.create(dossier: discarded_dossier, value: 'discard me')
end
subject { described_class.filtered_ids(procedure.dossiers, [{ 'table' => 'type_de_champ_private', 'column' => type_de_champ_private.id, 'value' => 'keep' }]) }
it { is_expected.to contain_exactly(kept_dossier.id) }
end
context 'for etablissement table' do context 'for etablissement table' do
context 'for entreprise_date_creation column' do context 'for entreprise_date_creation column' do
@ -25,5 +55,14 @@ describe DossierFieldService do
it { is_expected.to contain_exactly(kept_dossier.id) } it { is_expected.to contain_exactly(kept_dossier.id) }
end end
end end
context 'for user table' do
let!(:kept_dossier) { create(:dossier, procedure: procedure, user: create(:user, email: 'me@keepmail.com')) }
let!(:discarded_dossier) { create(:dossier, procedure: procedure, user: create(:user, email: 'me@discard.com')) }
subject { described_class.filtered_ids(procedure.dossiers, [{ 'table' => 'user', 'column' => 'email', 'value' => 'keepmail' }]) }
it { is_expected.to contain_exactly(kept_dossier.id) }
end
end end
end end