It looks like the following is vulnerable to SQL injection. It ought to be solved by whitelisting against the model's parameters, and also escaping the inputs.
|
query = resource.where(permitted_params).where(fuzzy_search_field, fuzzy_search_query).order(order_params).paginate(pagination_params) |
|
def fuzzy_search_field |
|
"#{params["search_field"]} #{GeneralizedApi::DATABASE_LIKE} ?" |
|
end |
It looks like the following is vulnerable to SQL injection. It ought to be solved by whitelisting against the model's parameters, and also escaping the inputs.
generalized_api/lib/generalized_api/api.rb
Line 71 in 093ea7b
generalized_api/lib/generalized_api/api.rb
Lines 149 to 151 in 093ea7b