Merge pull request #3856 from Drumstickx/master

Fixed sql injection vulnerability in users_and_enterprises_report.

lib/open_food_network/users_and_enterprises_report.rb

@@ -38,35 +38,64 @@ module OpenFoodNetwork
     end
 
     def owners_and_enterprises
-      query = "SELECT enterprises.name, enterprises.sells, enterprises.visible, enterprises.is_primary_producer, enterprises.created_at AS created_at,
-      'owns' AS relationship_type, owners.email as user_email FROM enterprises
-      LEFT JOIN spree_users AS owners ON owners.id=enterprises.owner_id
-      WHERE enterprises.id IS NOT NULL
-      #{ params[:enterprise_id_in].present? ? "AND enterprises.id IN (#{ params[:enterprise_id_in] })" : "" }
-      #{ params[:user_id_in].present? ? "AND owners.id IN (#{ params[:user_id_in] })" : "" }
-      ORDER BY enterprises.created_at DESC"
+      query = Enterprise.joins("LEFT JOIN spree_users AS owner ON enterprises.owner_id = owner.id")
+        .where("enterprises.id IS NOT NULL")
 
-      ActiveRecord::Base.connection.execute(query).to_a
+      query = filter_by_int_list_if_present(query, "enterprises.id", params[:enterprise_id_in])
+      query = filter_by_int_list_if_present(query, "owner.id", params[:user_id_in])
+
+      query_helper(query, :owner, :owns)
     end
 
     def managers_and_enterprises
-      query = "SELECT enterprises.name, enterprises.sells, enterprises.visible, enterprises.is_primary_producer, enterprises.created_at AS created_at,
-      'manages' AS relationship_type, managers.email as user_email FROM enterprises
-      LEFT JOIN enterprise_roles ON enterprises.id=enterprise_roles.enterprise_id
-      LEFT JOIN spree_users AS managers ON enterprise_roles.user_id=managers.id
-      WHERE enterprise_id IS NOT NULL
-      #{ params[:enterprise_id_in].present? ? "AND enterprise_id IN (#{ params[:enterprise_id_in] })" : "" }
-      AND user_id IS NOT NULL
-      #{ params[:user_id_in].present? ? "AND user_id IN (#{ params[:user_id_in] })" : "" }
-      ORDER BY enterprises.created_at DESC"
+      query = Enterprise
+        .joins("LEFT JOIN enterprise_roles ON enterprises.id = enterprise_roles.enterprise_id")
+        .joins("LEFT JOIN spree_users AS managers ON enterprise_roles.user_id = managers.id")
+        .where("enterprise_id IS NOT NULL")
+        .where("user_id IS NOT NULL")
 
-      ActiveRecord::Base.connection.execute(query).to_a
+      query = filter_by_int_list_if_present(query, "enterprise_id", params[:enterprise_id_in])
+      query = filter_by_int_list_if_present(query, "user_id", params[:user_id_in])
+
+      query_helper(query, :managers, :manages)
+    end
+
+    def query_helper(query, email_user, relationship_type)
+      query.order("enterprises.created_at DESC")
+        .select(["enterprises.name",
+                 "enterprises.sells",
+                 "enterprises.visible",
+                 "enterprises.is_primary_producer",
+                 "enterprises.created_at",
+                 "#{email_user}.email AS user_email"])
+        .to_a
+        .map { |x|
+        {
+          name: x.name,
+          sells: x.sells,
+          visible: (x.visible ? 't' : 'f'),
+          is_primary_producer: (x.is_primary_producer ? 't' : 'f'),
+          created_at: x.created_at.utc.iso8601,
+          relationship_type: relationship_type,
+          user_email: x.user_email
+        }.stringify_keys }
     end
 
     def users_and_enterprises
       sort( owners_and_enterprises.concat managers_and_enterprises )
     end
 
+    def filter_by_int_list_if_present(query, filtered_field_name, int_list)
+      if int_list.present?
+        query = query.where("#{filtered_field_name} IN (?)", split_int_list(int_list))
+      end
+      query
+    end
+
+    def split_int_list(int_list)
+      int_list.split(',').map(&:to_i)
+    end
+
     def sort(results)
       results.sort do |a,b|
         if a["created_at"].nil? || b["created_at"].nil?