diff options
author | Matthew Draper <matthew@trebex.net> | 2017-11-14 23:27:50 +1030 |
---|---|---|
committer | Matthew Draper <matthew@trebex.net> | 2017-11-14 23:30:45 +1030 |
commit | a1ee43d2170dd6adf5a9f390df2b1dde45018a48 (patch) | |
tree | e1fd861d4e370e81c312aa1b4fde45eff48c08f1 /activerecord/CHANGELOG.md | |
parent | ed100166874fb4a542c5aaba933a4cca5ed72269 (diff) | |
parent | 4a5b3ca972e867d9b9276dcd98b0a6b9b6fb7583 (diff) | |
download | rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.gz rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.bz2 rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.zip |
Merge pull request #27947 from mastahyeti/unsafe_raw_sql
Disallow raw SQL in dangerous AR methods
Diffstat (limited to 'activerecord/CHANGELOG.md')
-rw-r--r-- | activerecord/CHANGELOG.md | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 81ff2923ce..57ec37c75b 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,33 @@ +* Require raw SQL fragments to be explicitly marked when used in + relation query methods. + + Before: + ``` + Article.order("LENGTH(title)") + ``` + + After: + ``` + Article.order(Arel.sql("LENGTH(title)")) + ``` + + This prevents SQL injection if applications use the [strongly + discouraged] form `Article.order(params[:my_order])`, under the + mistaken belief that only column names will be accepted. + + Raw SQL strings will now cause a deprecation warning, which will + become an UnknownAttributeReference error in Rails 6.0. Applications + can opt in to the future behavior by setting `allow_unsafe_raw_sql` + to `:disabled`. + + Common and judged-safe string values (such as simple column + references) are unaffected: + ``` + Article.order("title DESC") + ``` + + *Ben Toews* + * `update_all` will now pass its values to `Type#cast` before passing them to `Type#serialize`. This means that `update_all(foo: 'true')` will properly persist a boolean. |