Sanitize SQL queries in order to prevent wildcard injection
Problems
It seems some SQL query does not sanitize a parameter. This might let users inject wildcard (%
) injection.
Examples
Good
where('name LIKE ?', "#{sanitize_sql_like(query)}%").limit(limit)
https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/models/environment.rb#L58
Good
scope :with_ldap_dn, -> { joins(user: :identities).where("identities.provider LIKE ?", 'ldap%') }
https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/app/models/ee/group_member.rb#L10
Bad
scope :with_url_prefix, ->(prefix) { where('url LIKE ?', "#{prefix}%") }
https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/app/models/geo_node.rb#L50
Bad
.where('environments.name LIKE ?', "#{name}%")
Proposal
Check with rubocop.
Edited by Shinya Maeda