Fix escape characters was not sanitized

author: Hiroyuki Sato <sathiroyuki@gmail.com> 2017-08-26 16:32:55 +0300
committer: Hiroyuki Sato <sathiroyuki@gmail.com> 2017-08-26 16:32:55 +0300
commit: 866aab7f2a92f9929a5c5811d3d3c23c11184b26 (patch)
tree: 7ea024ee7d908aedae9d3576e9c09fad55c74844 /lib/gitlab/sql
parent: 9e203582b367a1b84035572261a79b62e22bfeaa (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/gitlab/sql/pattern.rb b/lib/gitlab/sql/pattern.rb
index 47ea19994a2..46c973d8a11 100644
--- a/lib/gitlab/sql/pattern.rb
+++ b/lib/gitlab/sql/pattern.rb
@@ -11,9 +11,9 @@ module Gitlab
 
       def to_sql
         if exact_matching?
-          query
+          sanitized_query
         else
-          "%#{query}%"
+          "%#{sanitized_query}%"
         end
       end
 
@@ -24,6 +24,11 @@ module Gitlab
       def partial_matching?
         @query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING
       end
+
+      def sanitized_query
+        # Note: ActiveRecord::Base.sanitize_sql_like is a protected method
+        ActiveRecord::Base.__send__(:sanitize_sql_like, query)
+      end
     end
   end
 end
author	Hiroyuki Sato <sathiroyuki@gmail.com>	2017-08-26 16:32:55 +0300
committer	Hiroyuki Sato <sathiroyuki@gmail.com>	2017-08-26 16:32:55 +0300
commit	866aab7f2a92f9929a5c5811d3d3c23c11184b26 (patch)
tree	7ea024ee7d908aedae9d3576e9c09fad55c74844 /lib/gitlab/sql
parent	9e203582b367a1b84035572261a79b62e22bfeaa (diff)