From 866aab7f2a92f9929a5c5811d3d3c23c11184b26 Mon Sep 17 00:00:00 2001
From: Hiroyuki Sato <sathiroyuki@gmail.com>
Date: Sat, 26 Aug 2017 22:32:55 +0900
Subject: Fix escape characters was not sanitized

---
 lib/gitlab/sql/pattern.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'lib/gitlab/sql')

diff --git a/lib/gitlab/sql/pattern.rb b/lib/gitlab/sql/pattern.rb
index 47ea19994a2..46c973d8a11 100644
--- a/lib/gitlab/sql/pattern.rb
+++ b/lib/gitlab/sql/pattern.rb
@@ -11,9 +11,9 @@ module Gitlab
 
       def to_sql
         if exact_matching?
-          query
+          sanitized_query
         else
-          "%#{query}%"
+          "%#{sanitized_query}%"
         end
       end
 
@@ -24,6 +24,11 @@ module Gitlab
       def partial_matching?
         @query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING
       end
+
+      def sanitized_query
+        # Note: ActiveRecord::Base.sanitize_sql_like is a protected method
+        ActiveRecord::Base.__send__(:sanitize_sql_like, query)
+      end
     end
   end
 end
-- 
cgit v1.2.3