AutocompleteLines: Sanitize `:q` param in `LIKE` operator

Johan made a number of good points here:

> * I think this belongs in the model
> * I would rather use a named parameter here
>   `.where('lines.number LIKE :q OR lines.names LIKE :q ...', q: >   "%#{params[:q]}%")`
> * You should defiitely escape the params before passing it to your db.
>   `sanitize_sql_like` seems like the best choice here

I wasn't thinking about sanitisation at all and just assumed the `?`s in
the prepared statement would take care of it for me. But obviously,
we're passing `%`s in the param, so users can of course do the same
thing.

Protect against this using the
`ActiveRecord::Sanitization#sanitize_sql_like` method. This is a private
class method, so in order to use it we have to call it from inside the
`Chouette::Line` model.

And of course the named parameters are a no-brainer. At the time, I had
seen that `Array` splat somewhere else in the codebase and just blindly
copied the format, forgetting that named parameters even existed.

Refs #5889

1 files changed, 10 insertions, 0 deletions

diff --git a/app/models/chouette/line.rb b/app/models/chouette/line.rb
index b3c4f2463..f65d313b3 100644
--- a/app/models/chouette/line.rb
+++ b/app/models/chouette/line.rb
@@ -43,6 +43,16 @@ module Chouette
     scope :by_text, ->(text) { where('lower(name) LIKE :t or lower(published_name) LIKE :t or lower(objectid) LIKE :t or lower(comment) LIKE :t or lower(number) LIKE :t',
       t: "%#{text.downcase}%") }
 
+    scope :by_name, ->(name) {
+      joins(:company)
+        .where('
+          lines.number LIKE :q
+          OR lines.name LIKE :q
+          OR companies.name ILIKE :q',
+          q: "%#{sanitize_sql_like(name)}%"
+        )
+    }
+
     def self.nullable_attributes
       [:published_name, :number, :comment, :url, :color, :text_color, :stable_id]
     end