Skip to content

Commit

Permalink
R2-3199 - Fix SQL injection warnings
Browse files Browse the repository at this point in the history
  • Loading branch information
@dhernandez-quoin
dhernandez-quoin committed Feb 14, 2025
1 parent 7a42203 commit a50d188
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions app/services/search/search_query.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,11 @@ def phonetic(value)
return self unless value.present?

tokens = LanguageService.tokenize(value)
order_query = ActiveRecord::Base.sanitize_sql_for_order(
"#{phonetic_score_query(tokens)} #{similarity_score_query(value)}"
)
@query = @query.where("phonetic_data ->'tokens' ?| array[:values]", values: tokens)
.order(Arel.sql("#{phonetic_score_query(tokens)} #{similarity_score_query(value)}"))
.order(Arel.sql(order_query))
self
end

Expand Down Expand Up @@ -71,9 +74,10 @@ def with_sort(sort)
return self unless sort.present?

sort.each do |sort_field, direction|
@query = @query.order(
ActiveRecord::Base.sanitize_sql_for_order([Arel.sql("data->? #{order_direction(direction)}"), [sort_field]])
)
field = ActiveRecord::Base.sanitize_sql_array(['data->?', sort_field])
direction = order_direction(direction)
order_query = ActiveRecord::Base.sanitize_sql_for_order("#{field} #{direction}")
@query = @query.order(Arel.sql(order_query))
end

self
Expand Down

0 comments on commit a50d188

Please sign in to comment.