False positive SQL Injection on scope #833

Closed
dvandersluis opened this Issue Mar 4, 2016 · 3 comments

Projects

None yet

2 participants

@dvandersluis

I have a scope that looks like:

scope :grouped, -> { group(Post[:user_id]) }

For some reason it's being flagged as a possible SQL injection; any ideas why?

@presidentbeef
Owner

Hi Daniel,

Yes, because group accepts arbitrary SQL and Post[:user_id] is seen as possible user input from the database. I'm not familiar with this syntax...what does Post.[] return? A column?

@dvandersluis

It's from the arel_helpers gem (it's equivalent to Post.arel_table[:user_id]), it does return a column (instance of Arel::Attribute).

@presidentbeef
Owner

This is fixed with #985

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment