Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Method List dialog #23106

Merged
merged 2 commits into from
Jul 29, 2024
Merged

Method List dialog #23106

merged 2 commits into from
Jul 29, 2024

Conversation

kbrock
Copy link
Member

@kbrock kbrock commented Jul 24, 2024

Overview

Part of ManageIQ/manageiq-ui-classic#9047

Adds scopes for: ManageIQ/manageiq-ui-classic#9059

This PR is an RnD work related to the search feature for the selection of the method.

Alternative to #22921


First commit deletes a bunch of code from the spec
Second commit is method and specs

Discussion: do we want to have conditional ids logic here or over in the ui?

@kbrock kbrock requested review from agrare and Fryguy as code owners July 24, 2024 20:20
@kbrock kbrock changed the title Pr 22921 Method List dialog Jul 24, 2024
@kbrock kbrock mentioned this pull request Jul 24, 2024
@kbrock kbrock force-pushed the pr-22921 branch 2 times, most recently from 51420d7 to 83d7e16 Compare July 25, 2024 13:46
@kbrock
Copy link
Member Author

kbrock commented Jul 25, 2024

update:

  • removed name and domain methods (moved into controller)

update:

  • rubocops

update:

  • had removed only specs, removed name and domain methods impl (oops)

@kbrock kbrock force-pushed the pr-22921 branch 2 times, most recently from 3356960 to ac8aad8 Compare July 25, 2024 15:05
# finds by name or namespace. not domain
# @param [nil,String] search
scope :name_path_search, lambda { |search|
search.present? ? where(arel_table[:relative_path].matches("%#{search}%")) : where({})
Copy link
Member

@Fryguy Fryguy Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a potential security issue? We try to avoid interpolation and use parameter binding instead. What would happen if the search itself had a % ?

Perhaps use sanitize_sql_like ?

Copy link
Member Author

@kbrock kbrock Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In core I see:

  • 1: use of sanitize_sql_like (actually across all our code)
  • 15: uses of the way I presented it. (grep for 'matches.*%')
  • 24: uses of "like ?", ...% (grep 'like *(*\?')
  • 44: uses of where... #{} (grep where.*#{)

Do we actually care if someone uses % in the phrase?

I'll look into making these changes but since we are adding in a wild character, not sure why it buys us.

Copy link
Member

@Fryguy Fryguy Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's more of a best practices thing? I thought like ? with bindings was typically the way to do it, but if matches with interpolation also works, then I'm fine with it.

Do we actually care if someone uses % in the phrase?

% in the phrase is really a question to you? Will name_path_search break if someone has a literal % in their namespace path? Is that even a valid character? Same goes for ?. It might be worth having a test case for that particular scenario to make sure it works and that this code can find those edge cases.

Copy link
Member Author

@kbrock kbrock Jul 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Verified that this pattern is not susceptible to sql injection attacks. interpolation in the main sql is, but the arguments are secure
  2. If searching for a string with a %, it finds it, but treats it as a wild character
  3. Method names can not have a % in them, but I feel our conversation may be about the bigger picture, so I'm trying not to get bound down by this

I added a test case. Was not able to add a method with a % in the name, but came as close as I could.

@kbrock
Copy link
Member Author

kbrock commented Jul 26, 2024

update:

  • added spec with % in search

update:

  • rebased
  • squashed and reworded commits

@miq-bot
Copy link
Member

miq-bot commented Jul 26, 2024

Checked commits kbrock/manageiq@a4e86f0~...5d2ddfe with ruby 3.1.5, rubocop 1.56.3, haml-lint 0.51.0, and yamllint
3 files checked, 0 offenses detected
Everything looks fine. ⭐

@Fryguy Fryguy merged commit 2d788d1 into ManageIQ:master Jul 29, 2024
8 checks passed
@Fryguy Fryguy self-assigned this Jul 29, 2024
@kbrock kbrock deleted the pr-22921 branch July 29, 2024 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants