chinwagsocial/app
Claire c8dbbd60eb Fix error-prone SQL queries (#15828)
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-02-02 23:30:15 +01:00
..
chewy Change tootctl search deploy algorithm (#14300) 2020-07-14 18:10:35 +02:00
controllers Fix login being broken due to inaccurately applied backport fix in 3.4.2 2021-11-06 05:17:39 +01:00
helpers Change number_to_human calls to always use 3-digits precision (#16469) 2021-11-05 23:46:24 +01:00
javascript Fix handling of recursive toots in WebUI (#17041) 2021-11-26 01:22:27 +01:00
lib Fix spurious errors when receiving an Add activity for a private post (#17425) 2022-02-02 22:59:34 +01:00
mailers Prepare Mastodon for Rails 6 (#15911) 2021-03-17 10:09:55 +01:00
models Fix error-prone SQL queries (#15828) 2022-02-02 23:30:15 +01:00
policies Add management of delivery availability in Federation settings (#15771) 2021-05-05 23:39:02 +02:00
presenters Add server rules (#15769) 2021-02-21 19:50:12 +01:00
serializers Add configuration attribute to GET /api/v1/instance (#16485) 2021-11-05 20:30:02 +01:00
services Fix filtering DMs from non-followed users (#17042) 2021-11-26 01:22:33 +01:00
validators Add configuration attribute to GET /api/v1/instance (#16485) 2021-11-05 20:30:02 +01:00
views Change number_to_human calls to always use 3-digits precision (#16469) 2021-11-05 23:46:24 +01:00
workers Fix followers synchronization mechanism not working when URI has empty path (#16510) 2022-01-31 10:59:00 +01:00