Skip to content

Improve detection of similarity sorting in GraphQL

Adam Hegyi requested to merge 244853-improve-detection-of-similarity-sorting into master

What does this MR do?

This MR improves the detection of similarity sorting in GraphQL. Previously we were using a regex to look for an SQL pattern (/SIMILARITY\(/). This is error prone and could lead to false positives in the future.

The solution is to add a special SQL comment in the query that we can easily check later. The comment is added when generating the SIMILARITY() function.

Example expression:

ORDER BY (
/* gitlab/database/similarity_score */ SIMILARITY(COALESCE(path, ''), 'different') * CAST('1' AS numeric)) + 
(/* gitlab/database/similarity_score */ SIMILARITY(COALESCE(name, ''), 'different') * CAST('0.8' AS numeric)
) DESC, id DESC;

Other approaches (didn't work out):

  • Use annotate from rails.
    • Unfortunately this adds comment to the end of the query. When detecting the sorting in GraphQL we only have access to the order expression (not the full query).
  • Use Arel::Nodes::Comment to generate a comment string.
    • It's not possible to combine it with the existing Arel nodes (visitor call is missing).

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Closes #244853 (closed)

Edited by Adam Hegyi

Merge request reports