ActionView::Template::Error: sort_field param looks unsafe

[aaronskiba]

View details in Rollbar: https://app.rollbar.com/a/ualbertalib/fix/item/dmp_assistant/459

ArgumentError: sort_field param looks unsafe
  File "/var/www/sites/dmp/app/controllers/concerns/paginable.rb", line 136, in refine_query
  File "/var/www/sites/dmp/app/controllers/concerns/paginable.rb", line 73, in paginable_renderise
  File "/var/www/sites/dmp/app/views/public_pages/template_index.html.erb", line 15, in _app_views_public_pages_template_index_html_erb___3782478396308087679_119500
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/base.rb", line 247, in public_send
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/base.rb", line 247, in _run
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/template.rb", line 154, in block in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb", line 205, in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/template.rb", line 345, in instrument_render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/template.rb", line 152, in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/template_renderer.rb", line 61, in block (2 levels) in render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb", line 203, in block in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications/instrumenter.rb", line 24, in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb", line 203, in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/template_renderer.rb", line 56, in block in render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/template_renderer.rb", line 71, in block in render_with_layout
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb", line 203, in block in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications/instrumenter.rb", line 24, in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb", line 203, in instrument
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/template_renderer.rb", line 70, in render_with_layout
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/template_renderer.rb", line 55, in render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/template_renderer.rb", line 11, in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/renderer.rb", line 61, in render_template_to_object
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/renderer/renderer.rb", line 29, in render_to_object
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/rendering.rb", line 117, in block in _render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/base.rb", line 273, in in_rendering_context
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/rendering.rb", line 116, in _render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/streaming.rb", line 218, in _render_template
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/rendering.rb", line 103, in render_to_body
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/rendering.rb", line 52, in render_to_body
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/renderers.rb", line 142, in render_to_body
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/rendering.rb", line 25, in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/rendering.rb", line 36, in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/instrumentation.rb", line 46, in block (2 levels) in render
  File "/usr/lib64/ruby/2.7.0/benchmark.rb", line 308, in realtime
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/core_ext/benchmark.rb", line 14, in ms
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/instrumentation.rb", line 46, in block in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/instrumentation.rb", line 86, in cleanup_view_runtime
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activerecord-6.1.7.6/lib/active_record/railties/controller_runtime.rb", line 39, in cleanup_view_runtime
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/instrumentation.rb", line 45, in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/wicked_pdf-2.7.0/lib/wicked_pdf/pdf_helper.rb", line 18, in render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/implicit_render.rb", line 35, in default_render
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/basic_implicit_render.rb", line 6, in block in send_action
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/basic_implicit_render.rb", line 6, in tap
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/basic_implicit_render.rb", line 6, in send_action
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/base.rb", line 228, in process_action
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/rendering.rb", line 30, in process_action
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/callbacks.rb", line 42, in block in process_action
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb", line 117, in block in run_callbacks
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actiontext-6.1.7.6/lib/action_text/rendering.rb", line 20, in with_renderer
  File "/var/www/sites/dmp/vendor/ruby/2.7.0/gems/actiontext-6.1.7.6/lib/action_text/engine.rb", line 59, in bloc

[aaronskiba]

All of the request.url entries end in %27, which is URL encoding for '.

# app/controllers/concerns/paginable.rb
  SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]+$/.freeze

  def refine_query(scope)
    @args = @args.with_indifferent_access
    scope = scope.search(@args[:search]).distinct if @args[:search].present?
    # Can raise NoMethodError if the scope does not define a search method
    if @args[:sort_field].present?
      frmt = @args[:sort_field][SORT_COLUMN_FORMAT]
      raise ArgumentError, 'sort_field param looks unsafe' unless frmt

   130:   def refine_query(scope)
   131:     byebug
=> 132:     @args = @args.with_indifferent_access
   133:     scope = scope.search(@args[:search]).distinct if @args[:search].present?
   134:     # Can raise NoMethodError if the scope does not define a search method
   135:     if @args[:sort_field].present?
   136:       frmt = @args[:sort_field][SORT_COLUMN_FORMAT]
(byebug) @args[:sort_field]
"plans.title'"
(byebug) @args[:sort_field][SORT_COLUMN_FORMAT]
nil

[aaronskiba]

I can replicate the error when I explicitly input the URL with the ' appended at the end. However, I can't replicate the error any other way.