Commit 866aab7f authored by Hiroyuki Sato's avatar Hiroyuki Sato

Fix escape characters was not sanitized

parent 9e203582
...@@ -11,9 +11,9 @@ module Gitlab ...@@ -11,9 +11,9 @@ module Gitlab
def to_sql def to_sql
if exact_matching? if exact_matching?
query sanitized_query
else else
"%#{query}%" "%#{sanitized_query}%"
end end
end end
...@@ -24,6 +24,11 @@ module Gitlab ...@@ -24,6 +24,11 @@ module Gitlab
def partial_matching? def partial_matching?
@query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING @query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING
end end
def sanitized_query
# Note: ActiveRecord::Base.sanitize_sql_like is a protected method
ActiveRecord::Base.__send__(:sanitize_sql_like, query)
end
end end
end end
end end
...@@ -12,6 +12,14 @@ describe Gitlab::SQL::Pattern do ...@@ -12,6 +12,14 @@ describe Gitlab::SQL::Pattern do
end end
end end
context 'when a query with a escape character is shorter than 3 chars' do
let(:query) { '_2' }
it 'returns sanitized exact matching pattern' do
expect(to_sql).to eq('\_2')
end
end
context 'when a query is equal to 3 chars' do context 'when a query is equal to 3 chars' do
let(:query) { '123' } let(:query) { '123' }
...@@ -20,6 +28,14 @@ describe Gitlab::SQL::Pattern do ...@@ -20,6 +28,14 @@ describe Gitlab::SQL::Pattern do
end end
end end
context 'when a query with a escape character is equal to 3 chars' do
let(:query) { '_23' }
it 'returns partial matching pattern' do
expect(to_sql).to eq('%\_23%')
end
end
context 'when a query is longer than 3 chars' do context 'when a query is longer than 3 chars' do
let(:query) { '1234' } let(:query) { '1234' }
...@@ -27,5 +43,13 @@ describe Gitlab::SQL::Pattern do ...@@ -27,5 +43,13 @@ describe Gitlab::SQL::Pattern do
expect(to_sql).to eq('%1234%') expect(to_sql).to eq('%1234%')
end end
end end
context 'when a query with a escape character is longer than 3 chars' do
let(:query) { '_234' }
it 'returns sanitized partial matching pattern' do
expect(to_sql).to eq('%\_234%')
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment