From 7dd30da40d386909bc5d294e6d1979b78088e8d0 Mon Sep 17 00:00:00 2001
From: David Davis <daviddavis@redhat.com>
Date: Mon, 11 Apr 2016 13:39:05 -0400
Subject: [PATCH] Fixes #14381 - Escaping sort columns in scoped_search

---
 app/controllers/katello/api/v2/api_controller.rb |  5 +++--
 test/controllers/api/v2/api_controller_test.rb   | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 test/controllers/api/v2/api_controller_test.rb

diff --git a/app/controllers/katello/api/v2/api_controller.rb b/app/controllers/katello/api/v2/api_controller.rb
index 7556930..f5693c0 100644
--- a/app/controllers/katello/api/v2/api_controller.rb
+++ b/app/controllers/katello/api/v2/api_controller.rb
@@ -62,8 +62,9 @@ module Katello
       sort_attr = params[:sort_by] || default_sort_by
 
       if sort_attr
-        sort_attr = "#{query.table_name}.#{sort_attr}" unless sort_attr.to_s.include?('.')
-        query = query.order("#{sort_attr} #{params[:sort_order] || default_sort_order}")
+        sort_order = (params[:sort_order] || default_sort_order).to_s.downcase
+        sort_order = default_sort_order unless ['desc', 'asc'].include?(sort_order)
+        query = query.order(sort_attr => sort_order.to_sym)
       elsif options[:custom_sort]
         query = options[:custom_sort].call(query)
       end
diff --git a/test/controllers/api/v2/api_controller_test.rb b/test/controllers/api/v2/api_controller_test.rb
new file mode 100644
index 0000000..cb57f27
--- /dev/null
+++ b/test/controllers/api/v2/api_controller_test.rb
@@ -0,0 +1,23 @@
+# encoding: utf-8
+
+require "katello_test_helper"
+
+module Katello
+  class Api::V2::ApiControllerTest < ActionController::TestCase
+    def setup
+      @controller = Katello::Api::V2::ApiController.new
+      @errata = katello_errata
+    end
+
+    def test_scoped_search_order
+      params = {:sort_by => "errata_id", :sort_order => "DESC'"} # sql injection
+      @controller.stubs(:params).returns(params)
+
+      query = Erratum.all
+      options = {resource_class: Katello::Erratum}
+
+      results = @controller.scoped_search(query, "errata_id", "asc", options)[:results]
+      assert_equal ["RHBA-2014-013", "RHEA-2014-111", "RHSA-1999-1231"], results.map(&:errata_id)
+    end
+  end
+end
-- 
1.8.3.1