From cda29e394b10bcec32402246063ea43ddbaf1339 Mon Sep 17 00:00:00 2001
From: Paul Bob <69730720+Paul-Bob@users.noreply.github.com>
Date: Thu, 9 May 2024 13:49:38 +0300
Subject: [PATCH] security: prevent SQL injection in sorting param (#2757)

---
 app/controllers/avo/base_controller.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/controllers/avo/base_controller.rb b/app/controllers/avo/base_controller.rb
index 75a6a5521e..4e26e87171 100644
--- a/app/controllers/avo/base_controller.rb
+++ b/app/controllers/avo/base_controller.rb
@@ -48,13 +48,18 @@ def index
           @query = @query.unscope(:order)
         end
 
+        sanitized_sort_direction = @index_params[:sort_direction].presence_in(["asc", "desc"])
+
         # Check if the sortable field option is actually a proc and we need to do a custom sort
-        field_id = @index_params[:sort_by].to_sym
-        field = @resource.get_field_definitions.find { |field| field.id == field_id }
+        sort_by = @index_params[:sort_by].to_sym
+        field = @resource.get_field(sort_by)
         @query = if field&.sortable.is_a?(Proc)
-          field.sortable.call(@query, @index_params[:sort_direction])
+          field.sortable.call(@query, sanitized_sort_direction)
+        elsif field.present? && sanitized_sort_direction
+          @query.order("#{@resource.model_class.table_name}.#{sort_by} #{sanitized_sort_direction}")
+        # Transform Model to ActiveRecord::Relation because Avo expects one.
         else
-          @query.order("#{@resource.model_class.table_name}.#{@index_params[:sort_by]} #{@index_params[:sort_direction]}")
+          @query.where("1=1")
         end
       end