[webui] Fix Hakiri reported issue: SQL Injection

openSUSE · Aug 25, 2015 · afcf669 · afcf669
1 parent 2233087
commit afcf669
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/api/app/models/project.rb b/src/api/app/models/project.rb
@@ -133,7 +133,7 @@ def cleanup_before_destroy
   end
 
   def subprojects
-    Project.where("name like '#{name}:%'")
+    Project.where("name like ?", "#{name}:%")
   end
 
   def revoke_requests

diff --git a/src/api/app/models/user.rb b/src/api/app/models/user.rb
@@ -102,7 +102,7 @@ def password_hash_type=(value)
   # Generate accessors for the password confirmation property.
   attr_accessor :password_confirmation
 
-  scope :all_without_nobody, -> { where("login != '#{nobody_login}'") }
+  scope :all_without_nobody, -> { where("login != ?", nobody_login) }
 
   # Overriding the default accessor to update @new_password on setting this
   # property.