Open AmShaegar13 opened 2 months ago
When normalizing attributes using the new ActiveRecord::normalizes method, % could be tampered with.
ActiveRecord::normalizes
%
class User < ActiveRecord::Base normalizes :name, with: ->(name) { name.gsub(/[^a-z0-9]/, '_') } end User.ransack({ name_cont: 'foo' }).result.to_sql # => "SELECT \"users\".* FROM \"users\" WHERE \"users\".\"name\" LIKE '_foo_'" # ^ ^ # %foo%
Failing test
In my opinion, this should not be possible as normalizes should only apply to the attribute itself and the search term but not the wildcards.
normalizes
When normalizing attributes using the new
ActiveRecord::normalizesmethod,%could be tampered with.Failing test
In my opinion, this should not be possible as
normalizesshould only apply to the attribute itself and the search term but not the wildcards.