Accept nested functions in Dangerous Query Methods #44010
Conversation
|
Thanks for the PR, and welcome to Rails. Could you add a test that shows some example of what would be accepted now? I think ideally #33330 would handle all these cases, but it doesn't seem to be moving very quickly. |
|
Absolutely - thanks for taking a look! Let me know how those tests look and if there are other places I should add tests. #36448 did also modify |
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
from
5b38084
to
d1a1b0f
Compare
|
@ghiculescu I went ahead and fixed some merge conflicts, added a test as you mentioned (but let me know if there are others I should add!), and I think this is ready to go. Let me know if there's any other improvements I can make |
|
That looks really good. I will leave it for review from a core team member. |
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
3 times, most recently
from
e370856
to
86e4dba
Compare
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
2 times, most recently
from
3231694
to
96669d5
Compare
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
from
96669d5
to
14a4382
Compare
|
@ghiculescu is there anyone in particular that I should request for review or are there any next steps I should be doing? Thanks! |
|
Nah, it just needs someone from the core team to review. They are pretty busy (particularly with Railsconf this week) but I'm sure they will get to it! |
activerecord/CHANGELOG.md
Outdated
| @@ -62,6 +62,10 @@ | |||
|
|
|||
| *Alex Ghiculescu* | |||
|
|
|||
| * Allow nested functions as safe SQL string | |||
There was a problem hiding this comment.
please move this to the top of the file
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
from
14a4382
to
abb75d8
Compare
Oh, right. Unideal time for me to ping on this 😆 I'll leave this be. Thanks again for all the help! |
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
3 times, most recently
from
d6a9a8c
to
557a13e
Compare
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
3 times, most recently
from
1bb52ed
to
6baba26
Compare
Mailing list thread: https://discuss.rubyonrails.org/t/feature-proposal-accept-nested-functions-w-r-t-dangerous-query-methods/78650 *Summary* I think there’s an opportunity to reduce additional false positives for Dangerous Query Method deprecations/errors. *Nested Functions* Similar to rails#36448, it seems reasonable to allow functions that accept other functions (e.g. `length(trim(title))`). *Background* * PR accepting non-nested functions: rails#36448 * Deep background on deprecation and false positives: rails#32995 * Constants: `COLUMN_NAME` for the first and `COLUMN_NAME_WITH_ORDER` for both
siegfault
force-pushed
the
dangerous_query_method_allow_nested_functions
branch
from
6baba26
to
8fe1bd5
Compare
Summary
I think there’s an opportunity to reduce additional false positives for
Dangerous Query Method deprecations/errors. Similar to #36448, it seems
reasonable to allow functions that accept other functions (e.g.
length(trim(title))).Other Information
Mailing list thread: https://discuss.rubyonrails.org/t/feature-proposal-accept-nested-functions-w-r-t-dangerous-query-methods/78650
Background
length(title)) as safe SQL string #36448random()function call #32995COLUMN_NAMEfor the first andCOLUMN_NAME_WITH_ORDERfor both