New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow raw SQL in dangerous AR methods #27947
Closed
Closed
Changes from all commits
Commits
Show all changes
42 commits
Select commit
Hold shift + click to select a range
fda8480
add config to check arguments to unsafe AR methods
mastahyeti 30ecd74
same for #order and #reorder
mastahyeti d8c2fd7
incorporate changes from reviews
mastahyeti 2a30621
docs for reorder methods too
mastahyeti e2bdd70
use VALID_DIRECTIONS constant
mastahyeti 4d58a43
change config to enabled/deprecated/disabled
btoews 1fd4108
allow Arel.sql() for pluck
btoews 3613e2c
allow Arel.sql(...) for order/reorder
btoews 48ccf6b
abstract out column checking
btoews 9f541a8
Merge branch 'master' into unsafe_raw_sql
btoews e41b4d6
make new ActiveRecord::AttributeMethods methods private
btoews b111e68
make tests more verbose/explicit
btoews 8c6ee80
frozen string literal comment
btoews a394b48
put those methods back in the correct module
btoews 61b14bb
nodoc for #respond_to_attribute?
btoews 36c6a8b
use default: kwarg with #mattr_accessor
btoews e262bf0
better docs on UnknownAttributeReference
btoews f637b1c
beef up deprecation warning
btoews 9e1761d
remove memoization on attribute_names_and_aliases
btoews c47d740
fix deprecation warning
btoews 745f3ee
remove :enabled option
btoews 94a35fa
don't use extract_options!
btoews 3076499
Merge remote-tracking branch 'origin/master' into unsafe_raw_sql
btoews b098558
make attribute_names_and_aliases public/nodoc since it's called publi…
btoews 33410af
work with actual string when reversing order
btoews c886ae0
call enforce_raw_sql_whitelist on @klass so it works with FakeKlass
btoews 7e35d68
always allow Arel::Attributes::Attribute also
btoews 516c72d
work around deprecation warnings in a bunch of tests
btoews 5d01e1b
allow table name and direction in string order arg
btoews 0258b90
remove unneeded Arel.sql
btoews 28ec014
allow table name in pluck also
btoews 853f30a
try using regexes
btoews 90ded1e
use << instead of #concat in #reverse_sql_order because we might be w…
btoews b80915c
convert order arg to string before checking if we can reverse it
btoews 6efbf76
don't account for quoted column/table names
btoews b9989c2
deal with Array arguments to #order
btoews 9e3f168
push order arg checks down to allow for binds
btoews 06c6a54
update whitelist regexps and comments
btoews c82bbbe
use database agnostic function/quoting in test
btoews ce7e801
Merge remote-tracking branch 'origin/master' into unsafe_raw_sql
btoews 2b941e3
fix ws
btoews c8809a5
more 💄
btoews File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah;
s
can be an SqlLiteral, which implements many methods (including [I assume?]concat
) for SQL construction. It's not great, but that's more Arel's fault.I do have some vague thoughts on rearranging this method, but that's an unrelated refactoring from this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Thanks for the explanation.