DEV: Quote values when constructing SQL (#18827)

All of these cases should already be safe, but still good to quote for
"defense in depth".
This commit is contained in:
Daniel Waterworth
2022-11-01 14:05:13 -05:00
committed by GitHub
parent a356e2fe30
commit 167181f4b7
12 changed files with 39 additions and 37 deletions

View File

@ -65,7 +65,7 @@ class GroupsController < ApplicationController
if !guardian.is_staff?
# hide automatic groups from all non stuff to de-clutter page
groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
type_filters.delete(:automatic)
end
@ -129,7 +129,7 @@ class GroupsController < ApplicationController
format.json do
groups = Group.visible_groups(current_user)
if !guardian.is_staff?
groups = groups.where("automatic IS FALSE OR groups.id = #{Group::AUTO_GROUPS[:moderators]}")
groups = groups.where("automatic IS FALSE OR groups.id = ?", Group::AUTO_GROUPS[:moderators])
end
render_json_dump(