From ee9f3f8c25b856cd938d4de14be27401702a4588 Mon Sep 17 00:00:00 2001 From: VasilevNStas Date: Fri, 3 Jul 2026 23:18:29 +0300 Subject: [PATCH] #1668: prevent DSL injection in cover_qo factbase query Escape single quotes in judge name before Sexp interpolation. --- lib/cover_qo.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/cover_qo.rb b/lib/cover_qo.rb index 510331f675..6af4ba1f36 100644 --- a/lib/cover_qo.rb +++ b/lib/cover_qo.rb @@ -9,7 +9,9 @@ def Jp.cover_qo(days, judge: $judge, loog: $loog, today: Time.parse(ENV['TODAY'] || Time.now.utc.iso8601)) slice = days * 24 * 60 * 60 - facts = Fbe.fb.query("(and (eq what '#{judge}') (exists since) (exists when))").each.to_a.sort_by(&:since) + facts = Fbe.fb.query( + "(and (eq what '#{judge.gsub("'", "\\\\'")}') (exists since) (exists when))" + ).each.to_a.sort_by(&:since) last = facts.map(&:when).max if last.nil? Fbe.fb.insert.then do |n|