references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Do not put user-controller custom field name in SQL query comment

Browse Source
This commit is contained in:
Klaus Zanders
2026-03-13 09:58:30 +01:00
parent 41f3e47475
commit 5ae66849a1
2 changed files with 42 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/reporting/app/models/cost_query/custom_field_mixin.rb
+6 -6
View File
@@ -113,7 +113,7 @@ module CostQuery::CustomFieldMixin
custom_options_table = CustomOption.table_name
<<-SQL
-- BEGIN Custom Field Join: #{db_field}
-- BEGIN Custom Field Join: cf_#{field.id}
LEFT OUTER JOIN (
SELECT
co.id AS #{db_field},
@@ -129,16 +129,16 @@ module CostQuery::CustomFieldMixin
AND #{db_field}.custom_field_id = #{field.id}
AND #{db_field}.customized_id = entries.entity_id
-- END Custom Field Join: #{db_field}
-- END Custom Field Join: cf_#{field.id}
SQL
end
def default_join_table(field)
<<-SQL % [CustomValue.table_name, table_name, field.id, field.name, SQL_TYPES[field.field_format]]
-- BEGIN Custom Field Join: "%4$s"
<<-SQL % [CustomValue.table_name, table_name, field.id, SQL_TYPES[field.field_format]]
-- BEGIN Custom Field Join: cf_%3$d
LEFT OUTER JOIN (
\tSELECT
\t\tCAST(value AS %5$s) AS %2$s,
\t\tCAST(value AS %4$s) AS %2$s,
\t\tcustomized_type,
\t\tcustom_field_id,
\t\tcustomized_id
@@ -148,7 +148,7 @@ module CostQuery::CustomFieldMixin
ON %2$s.customized_type = 'WorkPackage'
AND %2$s.custom_field_id = %3$d
AND %2$s.customized_id = entries.entity_id
-- END Custom Field Join: "%4$s"
-- END Custom Field Join: cf_%3$d
SQL
end
modules/reporting/spec/models/cost_query/custom_field_mixin_spec.rb
+36
View File
@@ -0,0 +1,36 @@
# frozen_string_literal: true
require_relative "../../spec_helper"
RSpec.describe CostQuery::CustomFieldMixin, :reporting_query_helper do
minimal_query
let!(:project) { create(:project_with_types) }
let!(:user) { create(:admin) }
describe "#default_join_table" do
let!(:custom_field) do
create(:wp_custom_field, :string, name: "Robert'); DROP TABLE Students;-- Roberts")
end
before do
CostQuery::Cache.reset!
CostQuery::Filter::CustomFieldEntries.all
end
after do
CostQuery::Cache.reset!
CostQuery::Filter::CustomFieldEntries.reset!
end
it "uses field.id in the SQL comment and does not include the field name" do
query.filter custom_field.attribute_name, operator: "=", value: "test"
sql = query.sql_statement.to_s
expect(sql).to include("-- BEGIN Custom Field Join: cf_#{custom_field.id}")
expect(sql).to include("-- END Custom Field Join: cf_#{custom_field.id}")
expect(sql).not_to include("DROP TABLE students")
expect(sql).to include("CAST(value AS varchar)")
end
end
end