Merge pull request #73 from travis-ci/igor-sql

arthurnn · web-flow · commit 36d4d75217cc · 2018-09-21T12:32:18.000-04:00
improved sql comment handling
diff --git a/lib/marginalia/comment.rb b/lib/marginalia/comment.rb
@@ -26,9 +26,17 @@ def self.construct_comment
         end
       end
       ret.chop!
+      ret = self.escape_sql_comment(ret)
       ret
     end
 
+    def self.escape_sql_comment(str)
+      while str.include?('/*') || str.include?('*/')
+        str = str.gsub('/*', '').gsub('*/', '')
+      end
+      str
+    end
+
     def self.clear!
       self.marginalia_controller = nil
     end
diff --git a/test/query_comments_test.rb b/test/query_comments_test.rb
@@ -272,6 +272,15 @@ def test_active_job
     end
   end
 
+  def test_good_comment
+    assert_equal Marginalia::Comment.escape_sql_comment('app:foo'), 'app:foo'
+  end
+
+  def test_bad_comments
+    assert_equal Marginalia::Comment.escape_sql_comment('*/; DROP TABLE USERS;/*'), '; DROP TABLE USERS;'
+    assert_equal Marginalia::Comment.escape_sql_comment('**//; DROP TABLE USERS;/*'), '; DROP TABLE USERS;'
+  end
+
   def teardown
     Marginalia.application_name = nil
     Marginalia::Comment.lines_to_ignore = nil
