Use sanitize_sql_like on search tokens (#35073).

Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@21230 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2021-10-03 19:43:19 +00:00 · 2021-10-03 19:43:19 +00:00 · 65f31d52cd
commit 65f31d52cd
parent 673ec2f2a6
2 changed files with 25 additions and 1 deletions
--- a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
+++ b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
@ -155,7 +155,7 @@ module Redmine
          def search_tokens_condition(columns, tokens, all_words)
            token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"}
            sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ')
-            [sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort]
+            [sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort]
          end
          private :search_tokens_condition

--- a/test/unit/search_test.rb
+++ b/test/unit/search_test.rb
@ -150,6 +150,30 @@ class SearchTest < ActiveSupport::TestCase
    assert_include issue, r
  end

+  def test_search_should_not_allow_like_injection
+    issue = Issue.generate!(:subject => "asdf")
+
+    r = Issue.search_results('as_f')
+    assert_not_include issue, r
+
+    r = Issue.search_results('as%f')
+    assert_not_include issue, r
+  end
+
+  def test_search_should_find_underscore
+    issue = Issue.generate!(:subject => "as_f")
+
+    r = Issue.search_results('as_f')
+    assert_include issue, r
+  end
+
+  def test_search_should_find_percent_sign
+    issue = Issue.generate!(:subject => "as%f")
+
+    r = Issue.search_results('as%f')
+    assert_include issue, r
+  end
+
  def test_search_should_be_case_insensitive_with_accented_characters
    unless sqlite?
      issue1 = Issue.generate!(:subject => "Special chars: ÖÖ")