Sanitize search for users and rooms (#1784)

2020-06-11 12:39:18 -04:00
parent cf794db595
commit 06236b49f7
2 changed files with 3 additions and 4 deletions
--- a/app/models/room.rb
+++ b/app/models/room.rb
@@ -40,8 +40,7 @@ class Room < ApplicationRecord
    search_query = "rooms.name LIKE :search OR rooms.uid LIKE :search OR users.email LIKE :search" \
    " OR users.#{created_at_query} LIKE :search"
-    search_param = "%#{string}%"
+    search_param = "%#{sanitize_sql_like(string)}%"
    where(search_query, search: search_param)
  end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -85,7 +85,7 @@ class User < ApplicationRecord
      search_query = "users.name LIKE :search OR email LIKE :search OR username LIKE :search" \
                    " OR users.#{created_at_query} LIKE :search OR users.provider LIKE :search" \
                    " OR roles.name LIKE :roles_search"
-      role_search_param = "%#{string}%"
+      role_search_param = "%#{sanitize_sql_like(string)}%"
    else
      search_query = "(users.name LIKE :search OR email LIKE :search OR username LIKE :search" \
                    " OR users.#{created_at_query} LIKE :search OR users.provider LIKE :search)" \
@@ -93,7 +93,7 @@ class User < ApplicationRecord
      role_search_param = role.name
    end
-    search_param = "%#{string}%"
+    search_param = "%#{sanitize_sql_like(string)}%"
    where(search_query, search: search_param, roles_search: role_search_param)
  end