Merge pull request #576 from okriuchykhin/ok_SCI_763

Add additional sanitization to search parameters in datatables [SCI-763]

app/datatables/sample_datatable.rb

@@ -7,6 +7,7 @@ class SampleDatatable < AjaxDatatablesRails::Base
   include Rails.application.routes.url_helpers
   include ActionView::Helpers::UrlHelper
   include ApplicationHelper
+  include ActiveRecord::Sanitization::ClassMethods
 
   ASSIGNED_SORT_COL = 'assigned'
 
@@ -393,11 +394,11 @@ class SampleDatatable < AjaxDatatablesRails::Base
     elsif column == 'created_at'
       casted_column = ::Arel::Nodes::NamedFunction.new('CAST',
                         [ Arel.sql("to_char( samples.created_at, '#{ formated_date }' ) AS VARCHAR") ] )
-      casted_column.matches("%#{value}%")
+      casted_column.matches("%#{sanitize_sql_like(value)}%")
     else
       casted_column = ::Arel::Nodes::NamedFunction.new('CAST',
                         [model.arel_table[column.to_sym].as(typecast)])
-      casted_column.matches("%#{value}%")
+      casted_column.matches("%#{sanitize_sql_like(value)}%")
     end
   end
 

app/datatables/team_users_datatable.rb

@@ -1,5 +1,6 @@
 class TeamUsersDatatable < AjaxDatatablesRails::Base
   include InputSanitizeHelper
+  include ActiveRecord::Sanitization::ClassMethods
 
   def_delegator :@view, :link_to
   def_delegator :@view, :update_user_team_path
@@ -50,7 +51,7 @@ class TeamUsersDatatable < AjaxDatatablesRails::Base
         [model.arel_table[column.to_sym].as(typecast)]
       )
     end
-    casted_column.matches("%#{value}%")
+    casted_column.matches("%#{sanitize_sql_like(value)}%")
   end
 
   private

app/models/samples_table.rb

@@ -15,7 +15,6 @@ class SamplesTable < ActiveRecord::Base
       # delete column
       team_status['columns'].delete(column_index)
       team_status['columns'].keys.each do |index|
-        p index
         if index.to_i > column_index.to_i
           team_status['columns'][(index.to_i - 1).to_s] =
             team_status['columns'].delete(index)