Merge branch '29583-routes-like-fix' into 'master'

Escape route path for LIKE queries

Closes #29583

See merge request !10117

3 files changed, 5 insertions, 3 deletions

diff --git a/app/models/namespace.rb b/app/models/namespace.rb
index d350f1d6770..826ded22ae5 100644
--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -195,7 +195,7 @@ class Namespace < ActiveRecord::Base
 
   # Scopes the model on direct and indirect children of the record
   def descendants
-    self.class.joins(:route).where('routes.path LIKE ?', "#{route.path}/%").reorder('routes.path ASC')
+    self.class.joins(:route).merge(Route.inside_path(route.path)).reorder('routes.path ASC')
   end
 
   def user_ids_for_project_authorizations
diff --git a/app/models/project.rb b/app/models/project.rb
index da4704554b3..04641dd58a0 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -238,7 +238,7 @@ class Project < ActiveRecord::Base
     # We need routes alias rs for JOIN so it does not conflict with
     # includes(:route) which we use in ProjectsFinder.
     joins("INNER JOIN routes rs ON rs.source_id = projects.id AND rs.source_type = 'Project'").
-      where('rs.path LIKE ?', "#{path}/%")
+      where('rs.path LIKE ?', "#{sanitize_sql_like(path)}/%")
   end
 
   # "enabled" here means "not disabled". It includes private features!
diff --git a/app/models/route.rb b/app/models/route.rb
index 41e6eb7cb73..4b3efab5c3c 100644
--- a/app/models/route.rb
+++ b/app/models/route.rb
@@ -10,9 +10,11 @@ class Route < ActiveRecord::Base
 
   after_update :rename_descendants
 
+  scope :inside_path, -> (path) { where('routes.path LIKE ?', "#{sanitize_sql_like(path)}/%") }
+
   def rename_descendants
     if path_changed? || name_changed?
-      descendants = Route.where('path LIKE ?', "#{path_was}/%")
+      descendants = self.class.inside_path(path_was)
 
       descendants.each do |route|
         attributes = {}