Resolve sql injection warnings from brakeman

delonnewman · Oct 9, 2024 · f7cb58f · f7cb58f
1 parent 3099edd
commit f7cb58f
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 9 deletions.
diff --git a/app/models/dragnet/type.rb b/app/models/dragnet/type.rb
@@ -1,5 +1,8 @@
 module Dragnet
   class Type
+    # include sql sanitation methods from ActiveRecord
+    include ActiveRecord::Sanitization::ClassMethods
+
     attr_reader :question_type
 
     def initialize(question_type)

diff --git a/app/models/dragnet/type/boolean.rb b/app/models/dragnet/type/boolean.rb
@@ -3,7 +3,7 @@
 module Dragnet
   class Type::Boolean < Type
     def data_grid_sort(_question, scope, direction, join_name)
-      scope.order(Arel.sql("#{join_name}.boolean_value") => direction)
+      scope.order(sanitize_sql_for_order("#{join_name}.boolean_value") => direction)
     end
 
     def data_grid_filter(_question, scope, table, value)

diff --git a/app/models/dragnet/type/choice.rb b/app/models/dragnet/type/choice.rb
@@ -3,7 +3,7 @@
 module Dragnet
   class Type::Choice < Type
     def data_grid_sort(_question, scope, direction, join_name)
-      scope.order(Arel.sql("#{join_name}.question_option_id") => direction)
+      scope.order(sanitize_sql_for_order("#{join_name}.question_option_id") => direction)
     end
 
     def data_grid_filter(_question, scope, table, value)

diff --git a/app/models/dragnet/type/number.rb b/app/models/dragnet/type/number.rb
@@ -4,9 +4,9 @@ module Dragnet
   class Type::Number < Type
     def data_grid_sort(question, scope, direction, join_name)
       if question.settings.decimal?
-        scope.order(Arel.sql("#{join_name}.float_value") => direction)
+        scope.order(sanitize_sql_for_order("#{join_name}.float_value") => direction)
       else
-        scope.order(Arel.sql("#{join_name}.integer_value") => direction)
+        scope.order(sanitize_sql_for_order("#{join_name}.integer_value") => direction)
       end
     end
 

diff --git a/app/models/dragnet/type/text.rb b/app/models/dragnet/type/text.rb
@@ -4,9 +4,9 @@ module Dragnet
   class Type::Text < Type
     def data_grid_sort(question, scope, direction, join_name)
       if question.settings.long_answer?
-        scope.order(Arel.sql("#{join_name}.long_text_value") => direction)
+        scope.order(sanitize_sql_for_order("#{join_name}.long_text_value") => direction)
       else
-        scope.order(Arel.sql("#{join_name}.short_text_value") => direction)
+        scope.order(sanitize_sql_for_order("#{join_name}.short_text_value") => direction)
       end
     end
 

diff --git a/app/models/dragnet/type/time.rb b/app/models/dragnet/type/time.rb
@@ -4,11 +4,14 @@ module Dragnet
   class Type::Time < Type
     def data_grid_sort(question, scope, direction, join_name)
       if question.settings.include_date_and_time?
-        scope.order(Arel.sql("#{join_name}.date_value") => direction, Arel.sql("#{join_name}.time_value") => direction)
+        scope.order(
+          sanitize_sql_for_order("#{join_name}.date_value") => direction,
+          sanitize_sql_for_order("#{join_name}.time_value") => direction
+        )
       elsif question.settings.include_time?
-        scope.order(Arel.sql("#{join_name}.time_value") => direction)
+        scope.order(sanitize_sql_for_order("#{join_name}.time_value") => direction)
       else
-        scope.order(Arel.sql("#{join_name}.date_value") => direction)
+        scope.order(sanitize_sql_for_order("#{join_name}.date_value") => direction)
       end
     end