Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
whitelist NULLS { FIRST | LAST } in order clauses
- Loading branch information
|
@@ -177,7 +177,14 @@ def attribute_names |
|
|
# "#{table_name}.#{column_name} #{direction}" |
|
|
# "#{column_name}" |
|
|
# "#{column_name} #{direction}" |
|
|
COLUMN_NAME_ORDER_WHITELIST = /\A(?:\w+\.)?\w+(?:\s+asc|\s+desc)?\z/i |
|
|
COLUMN_NAME_ORDER_WHITELIST = / |
|
|
\A |
|
|
(?:\w+\.)? |
|
|
\w+ |
|
|
(?:\s+asc|\s+desc)? |
|
|
(?:\s+nulls\s+(?:first|last))? |
|
|
\z |
|
|
/ix |
|
|
|
|
|
def enforce_raw_sql_whitelist(args, whitelist: COLUMN_NAME_WHITELIST) # :nodoc: |
|
|
unexpected = args.reject do |arg| |
|
|
|
@@ -107,6 +107,26 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase |
|
|
assert_equal ids_expected, ids_disabled |
|
|
end |
|
|
|
|
|
test "order: allows NULLS FIRST and NULLS LAST too" do |
|
|
raise "precondition failed" if Post.count < 2 |
|
|
|
|
|
# Ensure there are NULL and non-NULL post types. |
|
|
Post.first.update_column(:type, nil) |
|
|
Post.last.update_column(:type, "Programming") |
|
|
|
|
|
["asc", "desc", ""].each do |direction| |
|
|
%w(first last).each do |position| |
|
|
ids_expected = Post.order(Arel.sql("type #{direction} nulls #{position}")).pluck(:id) |
|
|
|
|
|
ids_depr = with_unsafe_raw_sql_deprecated { Post.order("type #{direction} nulls #{position}").pluck(:id) } |
|
|
ids_disabled = with_unsafe_raw_sql_disabled { Post.order("type #{direction} nulls #{position}").pluck(:id) } |
|
|
|
|
|
assert_equal ids_expected, ids_depr |
|
|
assert_equal ids_expected, ids_disabled |
|
|
end |
|
|
end |
|
|
end if current_adapter?(:PostgreSQLAdapter) |
|
|
|
|
|
test "order: disallows invalid column name" do |
|
|
with_unsafe_raw_sql_disabled do |
|
|
assert_raises(ActiveRecord::UnknownAttributeReference) do |
|
|