SECURITY: SQL Injection in Admin List Active Users

lib/admin_user_index_query.rb

@@ -18,8 +18,20 @@ class AdminUserIndexQuery
     find_users_query.count
   end
 
+  def self.orderable_columns
+    %w(created_at days_visited posts_read_count topics_entered post_count trust_level)
+  end
+
   def initialize_query_with_order(klass)
-    order = [params[:order]]
+    order = []
+
+    custom_order = params[:order]
+    if custom_order.present? &&
+      without_dir = custom_order.downcase.sub(/ (asc|desc)$/, '')
+      if AdminUserIndexQuery.orderable_columns.include?(without_dir)
+        order << custom_order
+      end
+    end
 
     if params[:query] == "active"
       order << "COALESCE(last_seen_at, to_date('1970-01-01', 'YYYY-MM-DD')) DESC"

spec/components/admin_user_index_query_spec.rb

@@ -16,6 +16,16 @@ describe AdminUserIndexQuery do
       query = ::AdminUserIndexQuery.new({ query: "active" })
       expect(query.find_users_query.to_sql).to match("last_seen_at")
     end
+
+    it "can't be injected" do
+      query = ::AdminUserIndexQuery.new({ order: "wat, no" })
+      expect(query.find_users_query.to_sql).not_to match("wat, no")
+    end
+
+    it "allows custom ordering" do
+      query = ::AdminUserIndexQuery.new({ order: "trust_level DESC" })
+      expect(query.find_users_query.to_sql).to match("trust_level DESC")
+    end
   end
 
   describe "no users with trust level" do