From 65f31d52cdd612407200f6af9045fa682345fab8 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Sun, 3 Oct 2021 19:43:19 +0000
Subject: [PATCH] Use sanitize_sql_like on search tokens (#35073).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@21230 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 .../lib/acts_as_searchable.rb                 |  2 +-
 test/unit/search_test.rb                      | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
index d8fd38447..871f39ef3 100644
--- a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
+++ b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
@@ -155,7 +155,7 @@ module Redmine
           def search_tokens_condition(columns, tokens, all_words)
             token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"}
             sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ')
-            [sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort]
+            [sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort]
           end
           private :search_tokens_condition
 
diff --git a/test/unit/search_test.rb b/test/unit/search_test.rb
index 532dff299..ae83ed28a 100644
--- a/test/unit/search_test.rb
+++ b/test/unit/search_test.rb
@@ -150,6 +150,30 @@ class SearchTest < ActiveSupport::TestCase
     assert_include issue, r
   end
 
+  def test_search_should_not_allow_like_injection
+    issue = Issue.generate!(:subject => "asdf")
+
+    r = Issue.search_results('as_f')
+    assert_not_include issue, r
+
+    r = Issue.search_results('as%f')
+    assert_not_include issue, r
+  end
+
+  def test_search_should_find_underscore
+    issue = Issue.generate!(:subject => "as_f")
+
+    r = Issue.search_results('as_f')
+    assert_include issue, r
+  end
+
+  def test_search_should_find_percent_sign
+    issue = Issue.generate!(:subject => "as%f")
+
+    r = Issue.search_results('as%f')
+    assert_include issue, r
+  end
+
   def test_search_should_be_case_insensitive_with_accented_characters
     unless sqlite?
       issue1 = Issue.generate!(:subject => "Special chars: ÖÖ")