False positive SQL Injection on scope #833

dvandersluis opened this Issue Mar 4, 2016 · 3 comments


None yet

2 participants


I have a scope that looks like:

scope :grouped, -> { group(Post[:user_id]) }

For some reason it's being flagged as a possible SQL injection; any ideas why?


Hi Daniel,

Yes, because group accepts arbitrary SQL and Post[:user_id] is seen as possible user input from the database. I'm not familiar with this syntax...what does Post.[] return? A column?


It's from the arel_helpers gem (it's equivalent to Post.arel_table[:user_id]), it does return a column (instance of Arel::Attribute).


This is fixed with #985

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment