Merge branch 'hotfix/4.11.2' into develop

spec/services/contacts/filter_service_spec.rb

@@ -49,6 +49,11 @@ describe Contacts::FilterService do
            account: account,
            attribute_model: 'contact_attribute',
            attribute_display_type: 'date')
+    create(:custom_attribute_definition,
+           attribute_key: 'lifetime_value',
+           account: account,
+           attribute_model: 'contact_attribute',
+           attribute_display_type: 'number')
   end
 
   describe '#perform' do
@@ -60,7 +65,7 @@ describe Contacts::FilterService do
 
       en_contact.update!(custom_attributes: { contact_additional_information: 'test custom data' })
       el_contact.update!(custom_attributes: { contact_additional_information: 'test custom data', customer_type: 'platinum' })
-      cs_contact.update!(custom_attributes: { customer_type: 'platinum', signed_in_at: '2022-01-19' })
+      cs_contact.update!(custom_attributes: { customer_type: 'platinum', signed_in_at: '2022-01-19', lifetime_value: '120.50' })
     end
 
     context 'with standard attributes - name' do
@@ -272,6 +277,39 @@ describe Contacts::FilterService do
         expect(result[:contacts].pluck(:id)).to include(cs_contact.id)
         expect(result[:contacts].pluck(:id)).not_to include(en_contact.id)
       end
+
+      it 'binds last_activity_at comparison values as dates' do
+        date_value = '2024-01-01'
+        params[:payload] = [
+          {
+            attribute_key: 'last_activity_at',
+            filter_operator: 'is_greater_than',
+            values: [date_value],
+            query_operator: nil
+          }.with_indifferent_access
+        ]
+
+        service = filter_service.new(account, first_user, params)
+        filters = service.instance_variable_get(:@filters)['contacts']
+        condition_query = service.send(:build_condition_query, filters, params[:payload].first, 0)
+
+        expect(condition_query).to include('(contacts.last_activity_at)::date > :value_0')
+        expect(service.instance_variable_get(:@filter_values)['value_0']).to eq(Date.iso8601(date_value))
+      end
+
+      it 'rejects invalid last_activity_at comparison values' do
+        malicious_value = "2024-01-01'::date OR (SELECT pg_sleep(5)) IS NOT NULL --"
+        params[:payload] = [
+          {
+            attribute_key: 'last_activity_at',
+            filter_operator: 'is_greater_than',
+            values: [malicious_value],
+            query_operator: nil
+          }.with_indifferent_access
+        ]
+
+        expect { filter_service.new(account, first_user, params).perform }.to raise_error(CustomExceptions::CustomFilter::InvalidValue)
+      end
     end
 
     context 'with additional attributes' do
@@ -369,6 +407,72 @@ describe Contacts::FilterService do
         expect(result[:contacts].length).to be expected_count
         expect(result[:contacts].pluck(:id)).to include(el_contact.id)
       end
+
+      it 'binds custom date comparison values as dates' do
+        date_value = '2024-01-01'
+        params[:payload] = [
+          {
+            attribute_key: 'signed_in_at',
+            filter_operator: 'is_less_than',
+            values: [date_value],
+            query_operator: nil
+          }.with_indifferent_access
+        ]
+
+        service = filter_service.new(account, first_user, params)
+        filters = service.instance_variable_get(:@filters)['contacts']
+        condition_query = service.send(:build_condition_query, filters, params[:payload].first, 0)
+
+        expect(condition_query).to include("(contacts.custom_attributes ->> 'signed_in_at')::date < :value_0")
+        expect(service.instance_variable_get(:@filter_values)['value_0']).to eq(Date.iso8601(date_value))
+      end
+
+      it 'binds custom numeric comparison values as decimals' do
+        params[:payload] = [
+          {
+            attribute_key: 'lifetime_value',
+            filter_operator: 'is_greater_than',
+            values: ['100.25'],
+            query_operator: nil
+          }.with_indifferent_access
+        ]
+
+        service = filter_service.new(account, first_user, params)
+        filters = service.instance_variable_get(:@filters)['contacts']
+        condition_query = service.send(:build_condition_query, filters, params[:payload].first, 0)
+
+        expect(condition_query).to include("(contacts.custom_attributes ->> 'lifetime_value')::numeric > :value_0")
+        expect(service.instance_variable_get(:@filter_values)['value_0']).to eq(BigDecimal('100.25'))
+      end
+
+      it 'filters by custom numeric attributes' do
+        params[:payload] = [
+          {
+            attribute_key: 'lifetime_value',
+            filter_operator: 'is_greater_than',
+            values: ['100.25'],
+            query_operator: nil
+          }.with_indifferent_access
+        ]
+
+        result = filter_service.new(account, first_user, params).perform
+
+        expect(result[:contacts].pluck(:id)).to eq([cs_contact.id])
+      end
+
+      it 'rejects invalid custom date comparison values' do
+        malicious_value = "2024-01-01'::date OR (SELECT pg_sleep(5)) IS NOT NULL --"
+        params[:payload] = [
+          {
+            attribute_key: 'signed_in_at',
+            filter_operator: 'is_less_than',
+            values: [malicious_value],
+            query_operator: nil
+          }.with_indifferent_access
+        ]
+
+        expect { filter_service.new(account, first_user, params).perform }.to raise_error(CustomExceptions::CustomFilter::InvalidValue)
+      end
     end
   end
 end

spec/services/conversations/filter_service_spec.rb

@@ -417,6 +417,41 @@ describe Conversations::FilterService do
         expect(result[:conversations].length).to be expected_count
       end
 
+      it 'binds created_at comparison values as dates' do
+        date_value = '2024-01-01'
+        params[:payload] = [
+          {
+            attribute_key: 'created_at',
+            filter_operator: 'is_greater_than',
+            values: [date_value],
+            query_operator: nil,
+            custom_attribute_type: ''
+          }.with_indifferent_access
+        ]
+
+        service = filter_service.new(params, user_1, account)
+        filters = service.instance_variable_get(:@filters)['conversations']
+        condition_query = service.send(:build_condition_query, filters, params[:payload].first, 0)
+
+        expect(condition_query).to include('(conversations.created_at)::date > :value_0')
+        expect(service.instance_variable_get(:@filter_values)['value_0']).to eq(Date.iso8601(date_value))
+      end
+
+      it 'rejects invalid created_at comparison values' do
+        malicious_value = "2024-01-01'::date OR (SELECT pg_sleep(5)) IS NOT NULL --"
+        params[:payload] = [
+          {
+            attribute_key: 'created_at',
+            filter_operator: 'is_greater_than',
+            values: [malicious_value],
+            query_operator: nil,
+            custom_attribute_type: ''
+          }.with_indifferent_access
+        ]
+
+        expect { filter_service.new(params, user_1, account).perform }.to raise_error(CustomExceptions::CustomFilter::InvalidValue)
+      end
+
       it 'filter by created_at and conversation_type' do
         params[:payload] = [
           {