Fix escape characters was not sanitized

lib/gitlab/sql/pattern.rb

@@ -11,9 +11,9 @@ module Gitlab
 
       def to_sql
         if exact_matching?
-          query
+          sanitized_query
         else
-          "%#{query}%"
+          "%#{sanitized_query}%"
         end
       end
 
@@ -24,6 +24,11 @@ module Gitlab
       def partial_matching?
         @query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING
       end
+
+      def sanitized_query
+        # Note: ActiveRecord::Base.sanitize_sql_like is a protected method
+        ActiveRecord::Base.__send__(:sanitize_sql_like, query)
+      end
     end
   end
 end

spec/lib/gitlab/sql/pattern_spec.rb

@@ -12,6 +12,14 @@ describe Gitlab::SQL::Pattern do
       end
     end
 
+    context 'when a query with a escape character is shorter than 3 chars' do
+      let(:query) { '_2' }
+
+      it 'returns sanitized exact matching pattern' do
+        expect(to_sql).to eq('\_2')
+      end
+    end
+
     context 'when a query is equal to 3 chars' do
       let(:query) { '123' }
 
@@ -20,6 +28,14 @@ describe Gitlab::SQL::Pattern do
       end
     end
 
+    context 'when a query with a escape character is equal to 3 chars' do
+      let(:query) { '_23' }
+
+      it 'returns partial matching pattern' do
+        expect(to_sql).to eq('%\_23%')
+      end
+    end
+
     context 'when a query is longer than 3 chars' do
       let(:query) { '1234' }
 
@@ -27,5 +43,13 @@ describe Gitlab::SQL::Pattern do
         expect(to_sql).to eq('%1234%')
       end
     end
+
+    context 'when a query with a escape character is longer than 3 chars' do
+      let(:query) { '_234' }
+
+      it 'returns sanitized partial matching pattern' do
+        expect(to_sql).to eq('%\_234%')
+      end
+    end
   end
 end