DEV: Quote values when constructing SQL (#18827)

All of these cases should already be safe, but still good to quote for "defense in depth".
2025-02-25 18:55:32 -06:00 · 2022-11-01 14:05:13 -05:00
parent a356e2fe30
commit 167181f4b7
12 changed files with 39 additions and 37 deletions
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -65,7 +65,7 @@ class GroupsController < ApplicationController

    if !guardian.is_staff?
      # hide automatic groups from all non stuff to de-clutter page
-      groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
+      groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
      type_filters.delete(:automatic)
    end

@@ -129,7 +129,7 @@ class GroupsController < ApplicationController
      format.json do
        groups = Group.visible_groups(current_user)
        if !guardian.is_staff?
-          groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
+          groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
        end

        render_json_dump(
--- a/app/jobs/onceoff/migrate_custom_emojis.rb
+++ b/app/jobs/onceoff/migrate_custom_emojis.rb
@@ -29,7 +29,7 @@ module Jobs

      Emoji.clear_cache

-      Post.where("cooked LIKE '%#{Emoji.base_url}%'").find_each do |post|
+      Post.where("cooked LIKE ?", "%#{Emoji.base_url}%").find_each do |post|
        post.rebake!
      end
    end
--- a/app/jobs/regular/anonymize_user.rb
+++ b/app/jobs/regular/anonymize_user.rb
@@ -46,8 +46,9 @@ module Jobs
      # UserHistory for delete_user logs the user's IP. Note this is quite ugly but we don't
      # have a better way of querying on details right now.
      UserHistory.where(
-        "action = :action AND details LIKE 'id: #{@user_id}\n%'",
-        action: UserHistory.actions[:delete_user]
+        "action = :action AND details LIKE :details",
+        action: UserHistory.actions[:delete_user],
+        details: "id: #{@user_id}\n%",
      ).update_all(ip_address: new_ip)
    end

--- a/app/jobs/scheduled/clean_up_uploads.rb
+++ b/app/jobs/scheduled/clean_up_uploads.rb
@@ -41,9 +41,9 @@ module Jobs
        if upload.sha1.present?
          # TODO: Remove this check after UploadReferences records were created
          encoded_sha = Base62.encode(upload.sha1.hex)
-          next if ReviewableQueuedPost.pending.where("payload->>'raw' LIKE '%#{upload.sha1}%' OR payload->>'raw' LIKE '%#{encoded_sha}%'").exists?
-          next if Draft.where("data LIKE '%#{upload.sha1}%' OR data LIKE '%#{encoded_sha}%'").exists?
-          next if UserProfile.where("bio_raw LIKE '%#{upload.sha1}%' OR bio_raw LIKE '%#{encoded_sha}%'").exists?
+          next if ReviewableQueuedPost.pending.where("payload->>'raw' LIKE ? OR payload->>'raw' LIKE ?", "%#{upload.sha1}%", "%#{encoded_sha}%").exists?
+          next if Draft.where("data LIKE ? OR data LIKE ?", "%#{upload.sha1}%", "%#{encoded_sha}%").exists?
+          next if UserProfile.where("bio_raw LIKE ? OR bio_raw LIKE ?", "%#{upload.sha1}%", "%#{encoded_sha}%").exists?

          upload.destroy
        else
--- a/app/jobs/scheduled/enqueue_digest_emails.rb
+++ b/app/jobs/scheduled/enqueue_digest_emails.rb
@@ -23,12 +23,12 @@ module Jobs
        .where(staged: false)
        .joins(:user_option, :user_stat, :user_emails)
        .where("user_options.email_digests")
-        .where("user_stats.bounce_score < #{SiteSetting.bounce_score_threshold}")
+        .where("user_stats.bounce_score < ?", SiteSetting.bounce_score_threshold)
        .where("user_emails.primary")
        .where("COALESCE(last_emailed_at, '2010-01-01') <= CURRENT_TIMESTAMP - ('1 MINUTE'::INTERVAL * user_options.digest_after_minutes)")
        .where("COALESCE(user_stats.digest_attempted_at, '2010-01-01') <= CURRENT_TIMESTAMP - ('1 MINUTE'::INTERVAL * user_options.digest_after_minutes)")
        .where("COALESCE(last_seen_at, '2010-01-01') <= CURRENT_TIMESTAMP - ('1 MINUTE'::INTERVAL * user_options.digest_after_minutes)")
-        .where("COALESCE(last_seen_at, '2010-01-01') >= CURRENT_TIMESTAMP - ('1 DAY'::INTERVAL * #{SiteSetting.suppress_digest_email_after_days})")
+        .where("COALESCE(last_seen_at, '2010-01-01') >= CURRENT_TIMESTAMP - ('1 DAY'::INTERVAL * ?)", SiteSetting.suppress_digest_email_after_days)
        .order("user_stats.digest_attempted_at ASC NULLS FIRST")

      # If the site requires approval, make sure the user is approved
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -480,7 +480,7 @@ class Upload < ActiveRecord::Base
        db = RailsMultisite::ConnectionManagement.current_db

        scope = Upload.by_users
-          .where("url NOT LIKE '%/original/_X/%' AND url LIKE '%/uploads/#{db}%'")
+          .where("url NOT LIKE '%/original/_X/%' AND url LIKE ?", "%/uploads/#{db}%")
          .order(id: :desc)

        scope = scope.limit(limit) if limit