lato 3.13.13 → 3.13.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/concerns/lato/componentable.rb +16 -5
  3. data/lib/lato/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 815bb28a8afbb532e9d57bdbd886843d184f5c22774f7f3391c579f4f5758244
4
- data.tar.gz: b39324de3225faf3848d02d31a8b2b08f61388608361cd51882f7721f5467d10
3
+ metadata.gz: 78ecb2c80260122c039786bb9eafcf4063684cde33b2fde9e00a12287f5bb3b1
4
+ data.tar.gz: a4967285b27502c359acf8324c492ad7263d470ead24b816ecace271bbc2f7c6
5
5
  SHA512:
6
- metadata.gz: a38c001ac6f0fc1005296ed69ad956ace666f6466f4a4a63eed759e9cae6c57cf0a73233f3af009919a4cccd94125ed5a5c00e51a74090356cedc467710ae194
7
- data.tar.gz: 46d415ce076c4f6b7f3e9255a9882b072e68c7d08e8d693c2310a98f6230692ecde17b82499857e798cd1f8b85bc1022169a6078decb19d88761b5da4044206f
6
+ metadata.gz: 1684bc930b0f3a8baa55081a6bc88b6ec9e22726283a484ec9cba8fe2ba262fb0b771ee16a30d88022efef585d1ebb0c8f508c3863f975d90588cb9581caa96f
7
+ data.tar.gz: 45be268b1d3267d8757834b4fbcdb774d996ae1f57b6f226c04f179e35742872e0da0411fb11dfec1954141103e763650f67bb9d0853381ec2dbe49d4e3634a4
data/app/controllers/concerns/lato/componentable.rb CHANGED
@@ -37,14 +37,25 @@ module Lato
37
37
  if collection.respond_to?(:lato_index_search)
38
38
  collection = collection.lato_index_search(search)
39
39
  else
40
- query = @_lato_index[key][:searchable_columns].map do |key|
41
- if collection.column_for_attribute(key).type == :string || collection.column_for_attribute(key).type == :text || collection.column_for_attribute(key).type == :integer
42
- "LOWER(#{key}) LIKE :search"
40
+ query_parts = @_lato_index[key][:searchable_columns].map do |column_name|
41
+ # Sanitize column name per prevenire SQL injection
42
+ sanitized_column = connection.quote_column_name(column_name)
43
+ column_type = collection.column_for_attribute(column_name).type
44
+
45
+ case column_type
46
+ when :string, :text
47
+ "LOWER(#{sanitized_column}) LIKE :search"
48
+ when :integer, :decimal, :float
49
+ "CAST(#{sanitized_column} AS TEXT) LIKE :search"
43
50
  else
44
- "CAST(#{key} AS TEXT) LIKE :search"
51
+ "CAST(#{sanitized_column} AS TEXT) LIKE :search"
45
52
  end
46
53
  end
47
- collection = collection.where(query.join(' OR '), search: "%#{search.downcase.strip}%")
54
+
55
+ collection = collection.where(
56
+ query_parts.join(' OR '),
57
+ search: "%#{search.downcase.strip}%"
58
+ )
48
59
  end
49
60
  end
50
61
 
data/lib/lato/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Lato
2
- VERSION = "3.13.13"
2
+ VERSION = "3.13.14"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: lato
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.13.13
4
+ version: 3.13.14
5
5
  platform: ruby
6
6
  authors:
7
7
  - Gregorio Galante
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2025-07-03 00:00:00.000000000 Z
11
+ date: 2025-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails