Open AmShaegar13 opened 2 months ago
When normalizing attributes using the new ActiveRecord::normalizes method, % could be tampered with.
ActiveRecord::normalizes
%
class User < ActiveRecord::Base normalizes :name, with: ->(name) { name.gsub(/[^a-z0-9]/, '_') } end User.ransack({ name_cont: 'foo' }).result.to_sql # => "SELECT \"users\".* FROM \"users\" WHERE \"users\".\"name\" LIKE '_foo_'" # ^ ^ # %foo%
Failing test
In my opinion, this should not be possible as normalizes should only apply to the attribute itself and the search term but not the wildcards.
normalizes
When normalizing attributes using the new
ActiveRecord::normalizes
method,%
could be tampered with.Failing test
In my opinion, this should not be possible as
normalizes
should only apply to the attribute itself and the search term but not the wildcards.