Refactor Status.tagged_with_all for brakeman SQL injection warning (#25941)

2023-07-13 09:52:37 -04:00
parent 70cc7bdbba
commit 644c5fddd8
2 changed files with 4 additions and 25 deletions
--- a/app/models/status.rb
+++ b/app/models/status.rb
@@ -103,7 +103,9 @@ class Status < ApplicationRecord
  scope :not_domain_blocked_by_account, ->(account) { account.excluded_from_timeline_domains.blank? ? left_outer_joins(:account) : left_outer_joins(:account).where('accounts.domain IS NULL OR accounts.domain NOT IN (?)', account.excluded_from_timeline_domains) }
  scope :tagged_with_all, lambda { |tag_ids|
    Array(tag_ids).map(&:to_i).reduce(self) do |result, id|
-      result.joins("INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}")
+      result.where(<<~SQL.squish, tag_id: id)
+        EXISTS(SELECT 1 FROM statuses_tags WHERE statuses_tags.status_id = statuses.id AND statuses_tags.tag_id = :tag_id)
+      SQL
    end
  }
  scope :tagged_with_none, lambda { |tag_ids|