security warning fixes

patterninc · Nov 4, 2024 · ef2d9b7 · ef2d9b7
1 parent f865796
commit ef2d9b7
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/lib/query_helper/sql_parser.rb b/lib/query_helper/sql_parser.rb
@@ -18,7 +18,8 @@ def update(sql)
 
     def remove_comments
       # Remove SQL inline comments (/* */) and line comments (--)
-      @sql = @sql.gsub(/\/\*(.*?)\*\//, '').gsub(/--(.*)$/, '')
+      @sql = @sql.gsub(%r{/\*.*?\*/}m, '')   # Removes multi-line comments (/* ... */)
+           .gsub(/--[^\n]*$/, '')       # Removes single-line comments (-- ... until end of line)
       @sql.squish!
     end
 
@@ -186,7 +187,7 @@ def find_aliases
         ColumnMap.new(
           alias_name: sql_alias,
           sql_expression: sql_expression.squish,
-          aggregate: /(array_agg|avg|bit_and|bit_or|bool_and|bool_or|boolor_agg|booland_agg|count|every|json_agg|jsonb_agg|json_object_agg|jsonb_object_agg|max|min|string_agg|sum|xmlagg)\((.*)\)/.match?(sql_expression)
+          aggregate: /\b(array_agg|avg|bit_and|bit_or|bool_and|bool_or|boolor_agg|booland_agg|count|every|json_agg|jsonb_agg|json_object_agg|jsonb_object_agg|max|min|string_agg|sum|xmlagg)\((.*?)\)/.match?(sql_expression)
         ) if sql_alias
       end
       column_maps.compact

diff --git a/spec/fixtures/controllers.rb b/spec/fixtures/controllers.rb
@@ -5,6 +5,7 @@ class ApplicationController < ActionController::API
   include Rails.application.routes.url_helpers
   include QueryHelper::QueryHelperConcern
   before_action :create_query_helper
+  protect_from_forgery with: :exception
 end
 
 class ParentsController < ApplicationController