fix: sql attack

2026-05-03 03:40:49 +08:00 · 2021-06-17 16:13:40 +08:00
parent 880f09a94a
commit 09dfd504c2
17 changed files with 59 additions and 39 deletions
--- a/app/controllers/organizations/projects_controller.rb
+++ b/app/controllers/organizations/projects_controller.rb
@@ -36,10 +36,10 @@ class Organizations::ProjectsController < Organizations::BaseController
  end

  def sort
-    params.fetch(:sort_by, "updated_on")
+    Project.column_names.include?(params[:sort_by]) ? params[:sort_by] : 'updated_on'
  end

  def sort_direction
-    params.fetch(:sort_direction, "desc")
+    %w(desc asc).include?(params[:sort_direction]) ? params[:sort_direction] : 'desc'
  end
 end