LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

feat: validate query conditions (#10595)

Browse Source 
Query conditions can take in arbitrary values, this can cause SQL
errors. This PR fixes it
This commit is contained in:
Shivam Mishra
2024-12-17 17:16:37 +05:30
committed by GitHub
parent e3109dbb22
commit b34dac7bbe
14 changed files with 119 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/models/automation_rule.rb
View File

@@ -27,6 +27,7 @@ class AutomationRule < ApplicationRecord
validate :json_conditions_format
validate :json_actions_format
validate :query_operator_presence
validate :query_operator_value
validates :account_id, presence: true
after_update_commit :reauthorized!, if: -> { saved_change_to_conditions? }
@@ -83,6 +84,24 @@ class AutomationRule < ApplicationRecord
operators = conditions.select { |obj, _| obj['query_operator'].nil? }
errors.add(:conditions, 'Automation conditions should have query operator.') if operators.length > 1
end
# This validation ensures logical operators are being used correctly in automation conditions.
# And we don't push any unsanitized query operators to the database.
def query_operator_value
conditions.each do |obj|
validate_single_condition(obj)
end
end
def validate_single_condition(condition)
query_operator = condition['query_operator']
return if query_operator.nil?
return if query_operator.empty?
operator = query_operator.upcase
errors.add(:conditions, 'Query operator must be either "AND" or "OR"') unless %w[AND OR].include?(operator)
end
end
AutomationRule.include_mod_with('Audit::AutomationRule')