Skip to content

Commit

Permalink
security: prevent SQL injection in sorting param (#2757)
Browse files Browse the repository at this point in the history
  • Loading branch information
Paul-Bob authored May 9, 2024
1 parent 6787db9 commit cda29e3
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions app/controllers/avo/base_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,18 @@ def index
@query = @query.unscope(:order)
end

sanitized_sort_direction = @index_params[:sort_direction].presence_in(["asc", "desc"])

# Check if the sortable field option is actually a proc and we need to do a custom sort
field_id = @index_params[:sort_by].to_sym
field = @resource.get_field_definitions.find { |field| field.id == field_id }
sort_by = @index_params[:sort_by].to_sym
field = @resource.get_field(sort_by)
@query = if field&.sortable.is_a?(Proc)
field.sortable.call(@query, @index_params[:sort_direction])
field.sortable.call(@query, sanitized_sort_direction)
elsif field.present? && sanitized_sort_direction
@query.order("#{@resource.model_class.table_name}.#{sort_by} #{sanitized_sort_direction}")
# Transform Model to ActiveRecord::Relation because Avo expects one.
else
@query.order("#{@resource.model_class.table_name}.#{@index_params[:sort_by]} #{@index_params[:sort_direction]}")
@query.where("1=1")
end
end

Expand Down

0 comments on commit cda29e3

Please sign in to comment.