Skip to content

Commit d4b2de8

Browse files
steveykensteveyken
committed
Refactor activity_user to remove possible SQL injection points.
1 parent 078035f commit d4b2de8

File tree

2 files changed

+10
-6
lines changed

2 files changed

+10
-6
lines changed

app/controllers/home_controller.rb

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,9 @@ def activity_event
122122
end
123123

124124
#----------------------------------------------------------------------------
125+
# TODO: this is ugly, ugly code. It's being security patched now but urgently
126+
# needs refactoring to use user id instead. Permuations based on name or email
127+
# yield incorrect results.
125128
def activity_user
126129
user = current_user.pref[:activity_user]
127130
if user && user != "all_users"
@@ -130,12 +133,11 @@ def activity_user
130133
else # first_name middle_name last_name any_name
131134
name_query = if user.include?(" ")
132135
user.name_permutations.map{ |first, last|
133-
"(upper(first_name) LIKE upper('%#{first}%') AND upper(last_name) LIKE upper('%#{last}%'))"
134-
}.join(" OR ")
136+
User.where(:first_name => first, :last_name => last)
137+
}.map(&:to_a).flatten.first
135138
else
136-
"upper(first_name) LIKE upper('%#{user}%') OR upper(last_name) LIKE upper('%#{user}%')"
139+
[User.where(:first_name => user), User.where(:last_name => user)].map(&:to_a).flatten.first
137140
end
138-
User.where(name_query).first
139141
end
140142
end
141143
user.is_a?(User) ? user.id : nil

spec/controllers/home_controller_spec.rb

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,14 +171,16 @@
171171
it "should find a user by first name or last name" do
172172
@cur_user.stub(:pref).and_return(:activity_user => 'Billy')
173173
controller.instance_variable_set(:@current_user, @cur_user)
174-
User.should_receive(:where).with("upper(first_name) LIKE upper('%Billy%') OR upper(last_name) LIKE upper('%Billy%')").and_return([@user])
174+
User.should_receive(:where).with(:first_name => 'Billy').and_return([@user])
175+
User.should_receive(:where).with(:last_name => 'Billy').and_return([@user])
175176
controller.send(:activity_user).should == 1
176177
end
177178

178179
it "should find a user by first name and last name" do
179180
@cur_user.stub(:pref).and_return(:activity_user => 'Billy Elliot')
180181
controller.instance_variable_set(:@current_user, @cur_user)
181-
User.should_receive(:where).with("(upper(first_name) LIKE upper('%Billy%') AND upper(last_name) LIKE upper('%Elliot%')) OR (upper(first_name) LIKE upper('%Elliot%') AND upper(last_name) LIKE upper('%Billy%'))").and_return([@user])
182+
User.should_receive(:where).with(:first_name => 'Billy', :last_name => "Elliot").and_return([@user])
183+
User.should_receive(:where).with(:first_name => 'Elliot', :last_name => "Billy").and_return([@user])
182184
controller.send(:activity_user).should == 1
183185
end
184186

0 commit comments

Comments
 (0)