ankane/blind_index

Rails master has removed the query injection point

albus522 opened this issue · 4 comments

This commit removed the method you override rails/rails@56f3096#diff-e8e1f9880a53f14486e821e99539d658

This worked for us to fix the issue.

module BlindIndex
  module Extensions
    module PredicateBuilder
      def build(attribute, value, operator = nil) # rubocop:disable Metrics/AbcSize
        klass = attribute.relation.instance_variable_get(:@klass)
        if klass.respond_to?(:blind_indexes) && (bi = klass.blind_indexes[attribute.name.to_sym])
          attribute = attribute.relation[bi[:bidx_attribute]]
          value =
            if value.is_a?(Array)
              value.map { |v| BlindIndex.generate_bidx(v, **bi) }
            else
              BlindIndex.generate_bidx(value, **bi)
            end
        end

        super(attribute, value, operator)
      end
    end
  end
end

ActiveSupport.on_load(:active_record) do
  ActiveRecord::PredicateBuilder.prepend(BlindIndex::Extensions::PredicateBuilder)
end

I'll try to submit a PR integrating this change unless you can beat me to it. I don't have time to do a complete PR with testing right this moment.

Hey @albus522, the activerecord61 branch has support for Rails master.

Cool. I think my above snippet might expand functionality. I am pretty sure hooking in to the build method allows association traversal to work. A query that joins a model with a blind index and tries to search that. joins(:something_with_blind_index).where(something_with_blind_index: {blind_field: 'something'})

Nice catch. It looks like the current code doesn't support joins. Just pushed an update to the activerecord61 with the approach above (slightly modified). Thanks for sharing!

Just released a new version that works with Rails master. Thanks again for putting together the fix.