mastodon/spec
Claire 5e9118c9bb Fix error-prone SQL queries (#15828)
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e.
2022-02-02 14:21:12 +01:00
..
controllers Fix AccountNote not having a maximum length (#16942) 2022-01-28 22:53:15 +01:00
fabricators Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
features Add submit button to the top of preferences pages (#13068) 2020-03-08 16:04:03 +01:00
fixtures Fix some link previews being incorrectly generated from other prior links (#16885) 2022-01-28 22:52:42 +01:00
helpers Change RTL detection to rely on unicode-bidi paragraph by paragraph (#14573) 2020-12-15 12:56:43 +01:00
lib Fix addressing of remote groups' followers (#16700) 2022-01-28 22:52:42 +01:00
mailers refactor: add email previews for WebAuthn emails (#14658) 2020-08-25 01:21:11 +02:00
models Fix error-prone SQL queries (#15828) 2022-02-02 14:21:12 +01:00
policies Add support for reversible suspensions through ActivityPub (#14989) 2020-11-08 00:28:39 +01:00
presenters Admission-based registrations mode (#10250) 2019-03-14 05:28:30 +01:00
requests Fix localization test failing due to order of locale definitions (#12393) 2019-11-15 21:00:09 +01:00
routing
serializers/activitypub Fix account URI in UpdatePollSerializer (#11194) 2019-06-27 19:41:55 +02:00
services Fix filtering DMs from non-followed users (#17042) 2022-01-28 22:53:15 +01:00
support Fix base64-encoded file uploads not being possible (#12748) 2020-01-04 01:54:07 +01:00
validators Improve email address validation (#14565) 2020-08-12 12:40:25 +02:00
views Remove Atom feeds and old URLs in the form of GET /:username/updates/:id (#11247) 2019-07-07 16:16:51 +02:00
workers Fix AccountNote not having a maximum length (#16942) 2022-01-28 22:53:15 +01:00
rails_helper.rb Add WebAuthn as an alternative 2FA method (#14466) 2020-08-24 16:46:27 +02:00
spec_helper.rb Move rspec examples to tmp dir (#12539) 2019-12-02 19:55:08 +01:00