1
0
Fork 0
forked from fedi/mastodon
mastodon/config
Claire 0a120d86d2
Fix error-prone SQL queries (#15828)
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23 18:10:10 +01:00
..
environments Fix SMTP_ENABLE_STARTTLS_AUTO/SMTP_TLS/SMTP_SSL environment variables don't work (#17216) 2022-01-13 12:05:22 +01:00
initializers Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287) 2022-01-23 15:50:41 +01:00
locales Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288) 2022-01-23 15:52:58 +01:00
webpack Bump jest from 26.6.3 to 27.1.0 (#16376) 2021-08-28 09:58:04 +09:00
application.rb Add S3_FORCE_SINGLE_REQUEST env var to work around S3 compatibility issues (#16866) 2021-10-18 18:29:04 +02:00
boot.rb Bump bootsnap from 1.6.0 to 1.8.1 (#16677) 2021-09-19 14:42:32 +09:00
brakeman.ignore Fix error-prone SQL queries (#15828) 2022-01-23 18:10:10 +01:00
database.yml config: add DB_SSLMODE for managed/remote PG (#10210) 2019-03-08 14:36:28 +01:00
deploy.rb Change references to tootsuite/mastodon to mastodon/mastodon (#16491) 2021-07-13 15:46:20 +02:00
environment.rb Make PreviewCard records reuseable between statuses (#4642) 2017-09-01 16:20:16 +02:00
i18n-tasks.yml Change move handler to carry blocks over (#14144) 2020-07-01 13:51:15 +02:00
navigation.rb Add batch suspend for accounts in admin UI (#17009) 2021-12-05 21:48:39 +01:00
pghero.yml Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
puma.rb Add PERSISTENT_TIMEOUT option (#11756) 2019-09-04 20:44:08 +02:00
routes.rb Add support for editing for published statuses (#16697) 2022-01-19 22:37:27 +01:00
secrets.yml Upgrade to Rails 5.0.0.1 2016-08-17 17:58:00 +02:00
settings.yml Change auto-following admin-selected accounts, show in recommendations (#16078) 2021-04-24 17:01:43 +02:00
sidekiq.yml Add trending links (#16917) 2021-11-25 13:07:38 +01:00
storage.yml Update Mastodon to Rails 6.1 (#15910) 2021-03-24 10:44:31 +01:00
themes.yml More polished light theme (#7620) 2018-05-25 18:36:26 +02:00
webpacker.yml Bump webpacker from 3.5.5 to 4.0.2 (#10277) 2019-03-15 15:05:31 +01:00