Rails master has removed the query injection point
albus522 opened this issue · 4 comments
This commit removed the method you override rails/rails@56f3096#diff-e8e1f9880a53f14486e821e99539d658
This worked for us to fix the issue.
module BlindIndex
module Extensions
module PredicateBuilder
def build(attribute, value, operator = nil) # rubocop:disable Metrics/AbcSize
klass = attribute.relation.instance_variable_get(:@klass)
if klass.respond_to?(:blind_indexes) && (bi = klass.blind_indexes[attribute.name.to_sym])
attribute = attribute.relation[bi[:bidx_attribute]]
value =
if value.is_a?(Array)
value.map { |v| BlindIndex.generate_bidx(v, **bi) }
else
BlindIndex.generate_bidx(value, **bi)
end
end
super(attribute, value, operator)
end
end
end
end
ActiveSupport.on_load(:active_record) do
ActiveRecord::PredicateBuilder.prepend(BlindIndex::Extensions::PredicateBuilder)
end
I'll try to submit a PR integrating this change unless you can beat me to it. I don't have time to do a complete PR with testing right this moment.
Cool. I think my above snippet might expand functionality. I am pretty sure hooking in to the build method allows association traversal to work. A query that joins a model with a blind index and tries to search that. joins(:something_with_blind_index).where(something_with_blind_index: {blind_field: 'something'})
Nice catch. It looks like the current code doesn't support joins. Just pushed an update to the activerecord61
with the approach above (slightly modified). Thanks for sharing!
Just released a new version that works with Rails master. Thanks again for putting together the fix.