ransack icon indicating copy to clipboard operation
ransack copied to clipboard
verified publisher icon activerecord-hackery

[BUG][RoR 7.1] ActiveRecord::normalizes can break `cont` predicate

Open AmShaegar13 opened this issue 1 year ago • 3 comments

When normalizing attributes using the new ActiveRecord::normalizes method, % could be tampered with.

class User < ActiveRecord::Base
  normalizes :name, with: ->(name) { name.gsub(/[^a-z0-9]/, '_') }
end

User.ransack({ name_cont: 'foo' }).result.to_sql
# => "SELECT \"users\".* FROM \"users\" WHERE \"users\".\"name\" LIKE '_foo_'"
#                                                                      ^   ^
#                                                                      %foo%

Failing test

In my opinion, this should not be possible as normalizes should only apply to the attribute itself and the search term but not the wildcards.

AmShaegar13 avatar Apr 11 '24 09:04 AmShaegar13

Still an issue in Rails 8.0.

armchairdj avatar Feb 05 '25 22:02 armchairdj

There's a bug filed about this in Rails, but it's closed as "Not Planned":

https://github.com/rails/rails/issues/53532

Seems like maybe Ransack is using private Arel APIs and the fix would be to use Arel::Nodes::Quoted.

armchairdj avatar Feb 05 '25 22:02 armchairdj

It might be a good solution to write a spec for Ransack, so if it breaks in newer Rails versions, it can be fixed later.

dmitry avatar Feb 06 '25 12:02 dmitry