Sanitize SQL arguments to prevent injections.

2025-06-26 22:31:35 +08:00 · 2017-07-26 17:10:13 +09:00
parent 3d330f8c5e
commit 3a46ea8bad
1 changed files with 18 additions and 11 deletions
--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -438,17 +438,24 @@ class Group < ActiveRecord::Base
  def bulk_add(user_ids)
    if user_ids.present?
-      Group.exec_sql("INSERT INTO group_users
+      sql = <<~SQL
-                                  (group_id, user_id, created_at, updated_at)
+      INSERT INTO group_users
-                     SELECT #{self.id},
+        (group_id, user_id, created_at, updated_at)
-                            u.id,
+      SELECT
-                            CURRENT_TIMESTAMP,
+        #{self.id},
-                            CURRENT_TIMESTAMP
+        u.id,
-                     FROM users AS u
+        CURRENT_TIMESTAMP,
-                     WHERE u.id IN (#{user_ids.join(', ')})
+        CURRENT_TIMESTAMP
-                       AND NOT EXISTS(SELECT 1 FROM group_users AS gu
+      FROM users AS u
-                                      WHERE gu.user_id = u.id AND
+      WHERE u.id IN (:user_ids)
-                                            gu.group_id = #{self.id})")
+      AND NOT EXISTS (
        SELECT 1 FROM group_users AS gu
        WHERE gu.user_id = u.id AND
        gu.group_id = :group_id
      )
      SQL
      Group.exec_sql(sql, group_id: self.id, user_ids: user_ids)
      if self.primary_group?
        User.where(id: user_ids).update_all(primary_group_id: self.id)