whitelist NULLS { FIRST | LAST } in order clauses

activerecord/lib/active_record/attribute_methods.rb

@@ -177,7 +177,14 @@ def attribute_names
      #   "#{table_name}.#{column_name} #{direction}"
      #   "#{column_name}"
      #   "#{column_name} #{direction}"
      COLUMN_NAME_ORDER_WHITELIST = /\A(?:\w+\.)?\w+(?:\s+asc|\s+desc)?\z/i
      COLUMN_NAME_ORDER_WHITELIST = /
        \A
        (?:\w+\.)?
        \w+
        (?:\s+asc|\s+desc)?
        (?:\s+nulls\s+(?:first|last))?
        \z
      /ix

      def enforce_raw_sql_whitelist(args, whitelist: COLUMN_NAME_WHITELIST) # :nodoc:
        unexpected = args.reject do |arg|

activerecord/test/cases/unsafe_raw_sql_test.rb

@@ -107,6 +107,26 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
    assert_equal ids_expected, ids_disabled
  end

  test "order: allows NULLS FIRST and NULLS LAST too" do
    raise "precondition failed" if Post.count < 2

    # Ensure there are NULL and non-NULL post types.
    Post.first.update_column(:type, nil)
    Post.last.update_column(:type, "Programming")

    ["asc", "desc", ""].each do |direction|
      %w(first last).each do |position|
        ids_expected = Post.order(Arel.sql("type #{direction} nulls #{position}")).pluck(:id)

        ids_depr     = with_unsafe_raw_sql_deprecated { Post.order("type #{direction} nulls #{position}").pluck(:id) }
        ids_disabled = with_unsafe_raw_sql_disabled   { Post.order("type #{direction} nulls #{position}").pluck(:id) }

        assert_equal ids_expected, ids_depr
        assert_equal ids_expected, ids_disabled
      end
    end
  end if current_adapter?(:PostgreSQLAdapter)

  test "order: disallows invalid column name" do
    with_unsafe_raw_sql_disabled do
      assert_raises(ActiveRecord::UnknownAttributeReference) do