Merge pull request #3083 from DMPRoadmap/sql_injection_fix

raycarrick-ed · web-flow · commit 8aa57653f624 · 2022-01-28T12:14:01.000Z
untethered regex allows for sql injection
diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb
@@ -8,7 +8,7 @@ module Paginable
 
   ##
   # Regex to validate sort_field param is safe
-  SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]/.freeze
+  SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]+$/.freeze
 
   PAGINATION_QUERY_PARAMS = %i[page sort_field sort_direction
                                search controller action].freeze
