Fixed SQL injection

a114c988 · Shinya Maeda · d15c120f · a114c988
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

app/finders/pipelines_finder.rb app/finders/pipelines_finder.rb +2 -2

未找到文件。
--- a/app/finders/pipelines_finder.rb
+++ b/app/finders/pipelines_finder.rb
@@ -103,9 +103,9 @@ class PipelinesFinder
    if params[:order_by].present? && params[:sort].present? && 
        items.column_names.include?(params[:order_by]) && 
        (params[:sort].casecmp('ASC') || params[:sort].casecmp('DESC'))
-      items.order("#{params[:order_by]} #{params[:sort]}")
+      items.reorder(params[:order_by] => params[:sort])
    else
-      items.order(id: :desc)
+      items.reorder(id: :desc)
    end
  end
 end