accept validateParams audits in filter

chairemobilite · Mar 14, 2024 · 298aaf2 · 298aaf2
1 parent 70abe90
commit 298aaf2
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/packages/evolution-backend/src/models/interviews.db.queries.ts b/packages/evolution-backend/src/models/interviews.db.queries.ts
@@ -376,11 +376,12 @@ const getRawWhereClause = (
 ): string | [string, string | boolean | number] | undefined => {
     // Make sure the field is a legitimate field to avoid sql injection. Field
     // is either the name of a field, or a dot-separated path in a json object
-    // of the 'responses' field. We should not accept anything else.
+    // of the 'responses' field, or an audit name for validateParams,
+    // which includes "-" and ":". We should not accept anything else.
     // TODO Once the individual surveys are typed and the expected
     // responses are known in advance, try to completely type the responses
     // object and make sure the field here matches an actual path
-    const dotSeparatedStringRegex = /^[\w\.]*$/g;
+    const dotSeparatedStringRegex = /^[\w\:\-\.]*$/g;
     const match = field.match(dotSeparatedStringRegex);
     if (match === null) {
         throw new TrError(