Summary

The =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization.

Detail

new "=n", label: :label_equals do
  def modify(query, field, value)
    query.where "#{field} = #{parse_number_string(value)}"  # SQL INJECTION
    query
  end
end

parse_number_string only strips locale delimiters, not SQL metacharacters. Value is user-controlled via cost report filter params.

Impact

Authenticated user with cost report access can read/modify any database data.

Fix

query.where ["#{field} = ?", parse_number_string(value)]