Skip to content
Browse files

whitelist NULLS { FIRST | LAST } in order clauses

  • Loading branch information
fxn committed Mar 6, 2018
1 parent 718e4c6 commit e4a921a75f8702a7dbaf41e31130fe884dea93f9
@@ -177,7 +177,14 @@ def attribute_names
# "#{table_name}.#{column_name} #{direction}"
# "#{column_name}"
# "#{column_name} #{direction}"
COLUMN_NAME_ORDER_WHITELIST = /\A(?:\w+\.)?\w+(?:\s+asc|\s+desc)?\z/i

def enforce_raw_sql_whitelist(args, whitelist: COLUMN_NAME_WHITELIST) # :nodoc:
unexpected = args.reject do |arg|
@@ -107,6 +107,26 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
assert_equal ids_expected, ids_disabled

test "order: allows NULLS FIRST and NULLS LAST too" do
raise "precondition failed" if Post.count < 2

# Ensure there are NULL and non-NULL post types.
Post.first.update_column(:type, nil)
Post.last.update_column(:type, "Programming")

["asc", "desc", ""].each do |direction|
%w(first last).each do |position|
ids_expected = Post.order(Arel.sql("type #{direction} nulls #{position}")).pluck(:id)

ids_depr = with_unsafe_raw_sql_deprecated { Post.order("type #{direction} nulls #{position}").pluck(:id) }
ids_disabled = with_unsafe_raw_sql_disabled { Post.order("type #{direction} nulls #{position}").pluck(:id) }

assert_equal ids_expected, ids_depr
assert_equal ids_expected, ids_disabled
end if current_adapter?(:PostgreSQLAdapter)

test "order: disallows invalid column name" do
with_unsafe_raw_sql_disabled do
assert_raises(ActiveRecord::UnknownAttributeReference) do

0 comments on commit e4a921a

Please sign in to comment.