gavin/maybe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 28 Wiki Activity

Sanitize input for ilike in Account::Entry.search (#988)

Browse Source
This commit was merged in pull request #988.
This commit is contained in:
Tony Vincent
2024-07-16 15:26:14 +02:00
committed by GitHub
parent cdbca5aff3
commit d0bc959bee
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/account/entry.rb
View File

@@ -137,7 +137,7 @@ class Account::Entry < ApplicationRecord
def search(params)
query = all
query = query.where("account_entries.name ILIKE ?", "%#{params[:search]}%") if params[:search].present?
query = query.where("account_entries.name ILIKE ?", "%#{sanitize_sql_like(params[:search])}%") if params[:search].present?
query = query.where("account_entries.date >= ?", params[:start_date]) if params[:start_date].present?
query = query.where("account_entries.date <= ?", params[:end_date]) if params[:end_date].present?

3
test/models/account/entry_test.rb
View File

@@ -62,6 +62,9 @@ class Account::EntryTest < ActiveSupport::TestCase
params = params.merge(categories: [ category.name ], merchants: [ merchant.name ]) # transaction specific search param
assert_equal 1, family.entries.search(params).size
params = { search: "%" }
assert_equal 0, family.entries.search(params).size
end
test "can calculate total spending for a group of transactions" do