From ed11ee4fb4724b0465d862c2748b957209e25e19 Mon Sep 17 00:00:00 2001
From: Mathieu Magnin <mathieu.magnin@gmail.com>
Date: Thu, 20 Jul 2017 14:51:57 +0200
Subject: [PATCH] Fix SQL injections

---
 app/controllers/admin/accompagnateurs_controller.rb  | 2 +-
 app/controllers/admin/procedures_controller.rb       | 2 +-
 spec/controllers/admin/procedures_controller_spec.rb | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/controllers/admin/accompagnateurs_controller.rb b/app/controllers/admin/accompagnateurs_controller.rb
index 6f6314851..16fb8e4da 100644
--- a/app/controllers/admin/accompagnateurs_controller.rb
+++ b/app/controllers/admin/accompagnateurs_controller.rb
@@ -12,7 +12,7 @@ class Admin::AccompagnateursController < AdminController
       array: true
 
     not_assign_scope = current_administrateur.gestionnaires.where.not(id: assign_scope.ids)
-    not_assign_scope = not_assign_scope.where("email LIKE '%#{params[:filter]}%'") if params[:filter]
+    not_assign_scope = not_assign_scope.where("email LIKE ?", "%#{params[:filter]}%") if params[:filter]
 
     @accompagnateurs_not_assign = smart_listing_create :accompagnateurs_not_assign,
       not_assign_scope,
diff --git a/app/controllers/admin/procedures_controller.rb b/app/controllers/admin/procedures_controller.rb
index 0da920bd1..324543998 100644
--- a/app/controllers/admin/procedures_controller.rb
+++ b/app/controllers/admin/procedures_controller.rb
@@ -192,7 +192,7 @@ class Admin::ProceduresController < AdminController
                      .joins(', procedures')
                      .where("procedures.id = procedure_paths.procedure_id")
                      .where("procedures.archived_at" => nil)
-                     .where("path LIKE '%#{params[:request]}%'")
+                     .where("path LIKE ?", "%#{params[:request]}%")
                      .pluck(:path, :administrateur_id)
                      .inject([]) {
                |acc, value| acc.push({label: value.first, mine: value.second == current_administrateur.id})
diff --git a/spec/controllers/admin/procedures_controller_spec.rb b/spec/controllers/admin/procedures_controller_spec.rb
index 8426df604..bf6558912 100644
--- a/spec/controllers/admin/procedures_controller_spec.rb
+++ b/spec/controllers/admin/procedures_controller_spec.rb
@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'uri'
 
 describe Admin::ProceduresController, type: :controller do
   let(:admin) { create(:administrateur) }
@@ -476,7 +477,7 @@ describe Admin::ProceduresController, type: :controller do
         subject
       end
 
-      subject { get :path_list, params: {request: procedure2.path} }
+      subject { get :path_list, params: { request: URI.encode(procedure2.path) } }
 
       it { expect(response.status).to eq(200) }
       it { expect(body.size).to eq(1) }