Sanitise search input for order (#2662)

* Sanitise search input for order * Update scope
4 months ago · d366849354
4 changed files with 36 additions and 9 deletions
--- a/app/models/lettings_log.rb
+++ b/app/models/lettings_log.rb
@ -59,17 +59,25 @@ class LettingsLog < Log
    query.all
  }
  scope :search_by, lambda { |param|
-    by_id = Arel.sql("CASE WHEN lettings_logs.id = #{param.to_i} THEN 0 ELSE 1 END")
-    by_tenant_code = Arel.sql("CASE WHEN tenancycode = '#{param}' THEN 0 WHEN tenancycode ILIKE '%#{param}%' THEN 1 ELSE 2 END")
-    by_propcode = Arel.sql("CASE WHEN propcode = '#{param}' THEN 0 WHEN propcode ILIKE '%#{param}%' THEN 1 ELSE 2 END")
-    by_postcode = Arel.sql("CASE WHEN REPLACE(postcode_full, ' ', '') = '#{param.delete(' ')}' THEN 0 when REPLACE(postcode_full, ' ', '') ILIKE '%#{param.delete(' ')}%' then 1 ELSE 2 END")
+    sanitized_param = ActiveRecord::Base.sanitize_sql(param)
+    param_without_spaces = sanitized_param.delete(" ")
+
+    by_id = Arel.sql("CASE WHEN lettings_logs.id = ? THEN 0 ELSE 1 END")
+    by_tenant_code = Arel.sql("CASE WHEN tenancycode = ? THEN 0 WHEN tenancycode ILIKE ? THEN 1 ELSE 2 END")
+    by_propcode = Arel.sql("CASE WHEN propcode = ? THEN 0 WHEN propcode ILIKE ? THEN 1 ELSE 2 END")
+    by_postcode = Arel.sql("CASE WHEN REPLACE(postcode_full, ' ', '') = ? THEN 0 WHEN REPLACE(postcode_full, ' ', '') ILIKE ? THEN 1 ELSE 2 END")

    filter_by_location_postcode(param)
      .or(filter_by_tenant_code(param))
      .or(filter_by_propcode(param))
      .or(filter_by_postcode(param))
      .or(filter_by_id(param.gsub(/log/i, "")))
-      .order(by_id, by_tenant_code, by_propcode, by_postcode)
+      .order(
+        [by_id, sanitized_param.to_i],
+        [by_tenant_code, sanitized_param, sanitized_param],
+        [by_propcode, sanitized_param, sanitized_param],
+        [by_postcode, param_without_spaces, param_without_spaces],
+      )
  }
  scope :after_date, ->(date) { where("lettings_logs.startdate >= ?", date) }
  scope :before_date, ->(date) { where("lettings_logs.startdate < ?", date) }
--- a/app/models/sales_log.rb
+++ b/app/models/sales_log.rb
@ -46,14 +46,19 @@ class SalesLog < Log
  }
  scope :filter_by_purchaser_code, ->(purchid) { where("purchid ILIKE ?", "%#{purchid}%") }
  scope :search_by, lambda { |param|
-    by_id = Arel.sql("CASE WHEN id = #{param.to_i} THEN 0 ELSE 1 END")
-    by_purchaser_code = Arel.sql("CASE WHEN purchid = '#{param}' THEN 0 WHEN purchid ILIKE '%#{param}%' THEN 1 ELSE 2 END")
-    by_postcode = Arel.sql("CASE WHEN REPLACE(postcode_full, ' ', '') = '#{param.delete(' ')}' THEN 0 WHEN REPLACE(postcode_full, ' ', '') ILIKE '%#{param.delete(' ')}%' THEN 1 ELSE 2 END")
+    sanitized_param = ActiveRecord::Base.sanitize_sql(param)
+    param_without_spaces = sanitized_param.delete(" ")
+
+    by_id = Arel.sql("CASE WHEN id = ? THEN 0 ELSE 1 END")
+    by_purchaser_code = Arel.sql("CASE WHEN purchid = ? THEN 0 WHEN purchid ILIKE ? THEN 1 ELSE 2 END")
+    by_postcode = Arel.sql("CASE WHEN REPLACE(postcode_full, ' ', '') = ? THEN 0 WHEN REPLACE(postcode_full, ' ', '') ILIKE ? THEN 1 ELSE 2 END")

    filter_by_purchaser_code(param)
      .or(filter_by_postcode(param))
      .or(filter_by_id(param.gsub(/log/i, "")))
-      .order(by_id, by_purchaser_code, by_postcode)
+      .order([by_id, sanitized_param.to_i],
+             [by_purchaser_code, sanitized_param, sanitized_param],
+             [by_postcode, param_without_spaces, param_without_spaces])
  }
  scope :age1_answered, -> { where.not(age1: nil).or(where(age1_known: [1, 2])) }
  scope :duplicate_logs, lambda { |log|
--- a/spec/models/lettings_log_spec.rb
+++ b/spec/models/lettings_log_spec.rb
@ -1345,6 +1345,13 @@ RSpec.describe LettingsLog do
            expect(result.third.id).to eq lettings_log_with_postcode.id
          end
        end
+
+        it "sanitises input for order" do
+          lettings_log_to_search.update!(tenancycode: "' 1234")
+          result = described_class.search_by(lettings_log_to_search.tenancycode)
+          expect(result.count).to eq(1)
+          expect(result.first.id).to eq lettings_log_to_search.id
+        end
      end
    end

--- a/spec/models/sales_log_spec.rb
+++ b/spec/models/sales_log_spec.rb
@ -214,6 +214,13 @@ RSpec.describe SalesLog, type: :model do
        expect(result).to include(have_attributes(id: sales_log_to_search.id))
      end
    end
+
+    it "sanitises input for order" do
+      sales_log_to_search.update!(purchid: "' 123456")
+      result = described_class.search_by(sales_log_to_search.purchid)
+      expect(result.count).to be >= 1
+      expect(result).to include(have_attributes(id: sales_log_to_search.id))
+    end
  end

  context "when filtering by year or nil" do