Docker/Maybe
Docker/Maybe
1
0
Fork 0
mirror of https://github.com/maybe-finance/maybe.git synced 2025-07-24 07:39:39 +02:00
Code Issues Releases Activity Actions 1

Sanitize input for ilike in Account::Entry.search (#988)

Browse source
This commit is contained in:
Tony Vincent 2024-07-16 15:26:14 +02:00 committed by GitHub
parent cdbca5aff3
commit d0bc959bee
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/models/account/entry.rb
View file

@ -137,7 +137,7 @@ class Account::Entry < ApplicationRecord
def search(params)
query = all
query = query.where("account_entries.name ILIKE ?", "%#{params[:search]}%") if params[:search].present?
query = query.where("account_entries.name ILIKE ?", "%#{sanitize_sql_like(params[:search])}%") if params[:search].present?
query = query.where("account_entries.date >= ?", params[:start_date]) if params[:start_date].present?
query = query.where("account_entries.date <= ?", params[:end_date]) if params[:end_date].present?

3
test/models/account/entry_test.rb
View file

@ -62,6 +62,9 @@ class Account::EntryTest < ActiveSupport::TestCase
params = params.merge(categories: [ category.name ], merchants: [ merchant.name ]) # transaction specific search param
assert_equal 1, family.entries.search(params).size
params = { search: "%" }
assert_equal 0, family.entries.search(params).size
end
test "can calculate total spending for a group of transactions" do