-
Notifications
You must be signed in to change notification settings - Fork 21.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accept nested functions in Dangerous Query Methods #44010
Accept nested functions in Dangerous Query Methods #44010
Conversation
Thanks for the PR, and welcome to Rails. Could you add a test that shows some example of what would be accepted now? I think ideally #33330 would handle all these cases, but it doesn't seem to be moving very quickly. |
Absolutely - thanks for taking a look! Let me know how those tests look and if there are other places I should add tests. #36448 did also modify |
5b38084
to
d1a1b0f
Compare
@ghiculescu I went ahead and fixed some merge conflicts, added a test as you mentioned (but let me know if there are others I should add!), and I think this is ready to go. Let me know if there's any other improvements I can make |
That looks really good. I will leave it for review from a core team member. |
e370856
to
86e4dba
Compare
3231694
to
96669d5
Compare
96669d5
to
14a4382
Compare
@ghiculescu is there anyone in particular that I should request for review or are there any next steps I should be doing? Thanks! |
Nah, it just needs someone from the core team to review. They are pretty busy (particularly with Railsconf this week) but I'm sure they will get to it! |
activerecord/CHANGELOG.md
Outdated
@@ -62,6 +62,10 @@ | |||
|
|||
*Alex Ghiculescu* | |||
|
|||
* Allow nested functions as safe SQL string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please move this to the top of the file
14a4382
to
abb75d8
Compare
Oh, right. Unideal time for me to ping on this 😆 I'll leave this be. Thanks again for all the help! |
d6a9a8c
to
557a13e
Compare
1bb52ed
to
6baba26
Compare
Mailing list thread: https://discuss.rubyonrails.org/t/feature-proposal-accept-nested-functions-w-r-t-dangerous-query-methods/78650 *Summary* I think there’s an opportunity to reduce additional false positives for Dangerous Query Method deprecations/errors. *Nested Functions* Similar to rails#36448, it seems reasonable to allow functions that accept other functions (e.g. `length(trim(title))`). *Background* * PR accepting non-nested functions: rails#36448 * Deep background on deprecation and false positives: rails#32995 * Constants: `COLUMN_NAME` for the first and `COLUMN_NAME_WITH_ORDER` for both
6baba26
to
8fe1bd5
Compare
Summary
I think there’s an opportunity to reduce additional false positives for
Dangerous Query Method deprecations/errors. Similar to #36448, it seems
reasonable to allow functions that accept other functions (e.g.
length(trim(title))
).Other Information
Mailing list thread: https://discuss.rubyonrails.org/t/feature-proposal-accept-nested-functions-w-r-t-dangerous-query-methods/78650
Background
length(title)
) as safe SQL string #36448random()
function call #32995COLUMN_NAME
for the first andCOLUMN_NAME_WITH_ORDER
for both