fix brakeman SQL injection warning

3 weeks ago · ab9008b3be
parent 65491936c3
commit ab9008b3be
1 changed files with 9 additions and 7 deletions
--- a/app/controllers/submitters_autocomplete_controller.rb
+++ b/app/controllers/submitters_autocomplete_controller.rb
@ -7,13 +7,15 @@ class SubmittersAutocompleteController < ApplicationController
  LIMIT = 100

  def index
-    submitters = search_submitters(@submitters)
+    field = SELECT_COLUMNS.find { |c| c == params[:field] }
+
+    submitters = search_submitters(@submitters, field)

    arel_columns = SELECT_COLUMNS.map { |col| Submitter.arel_table[col] }

    values =
-      if params[:field].present? && SELECT_COLUMNS.include?(params[:field])
-        max_ids = submitters.group(params[:field]).limit(LIMIT).select(Submitter.arel_table[:id].maximum)
+      if field
+        max_ids = submitters.group(field).limit(LIMIT).select(Submitter.arel_table[:id].maximum)

        submitters.where(id: max_ids).order(id: :desc).pluck(arel_columns)
      else
@ -27,12 +29,12 @@ class SubmittersAutocompleteController < ApplicationController

  private

-  def search_submitters(submitters)
-    if SELECT_COLUMNS.include?(params[:field])
+  def search_submitters(submitters, field)
+    if field
      if Docuseal.fulltext_search?
-        Submitters.fulltext_search_field(current_user, submitters, params[:q], params[:field])
+        Submitters.fulltext_search_field(current_user, submitters, params[:q], field)
      else
-        column = Submitter.arel_table[params[:field].to_sym]
+        column = Submitter.arel_table[field.to_sym]

        term = "#{params[:q].downcase}%"