Allow column name with function (e.g. `length(title)`) as safe SQL string

Currently, almost all "Dangerous query method" warnings are false alarm. As long as almost all the warnings are false alarm, developers think "Let's ignore the warnings by using `Arel.sql()`, it actually is false alarm in practice.", so I think we should effort to reduce false alarm in order to make the warnings valuable. This allows column name with function (e.g. `length(title)`) as safe SQL string, which is very common false alarm pattern, even in the our codebase. Related 6c82b6c99, 6607ecb2a, #36420. Fixes #32995.
author: Ryuta Kamizono <kamipo@gmail.com> 2019-06-09 08:01:10 +0900
committer: Ryuta Kamizono <kamipo@gmail.com> 2019-06-10 07:36:58 +0900
commit: 64d8c54e16ee9ad3b591501401d6c437304e1308 (patch)
tree: 096ed28c86eab7a412b0cdbd999dbbdd7529a39f /activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
parent: 6607ecb2a1ccc9b43cfb8db2d06dc5301a5320ba (diff)
download: rails-64d8c54e16ee9ad3b591501401d6c437304e1308.tar.gz
rails-64d8c54e16ee9ad3b591501401d6c437304e1308.tar.bz2
rails-64d8c54e16ee9ad3b591501401d6c437304e1308.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb b/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
index 5d6932e4ca..54808de714 100644
--- a/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
@@ -56,7 +56,10 @@ module ActiveRecord
         COLUMN_NAME = /
           \A
           (
-            (?:\w+\.|"\w+"\.)?(?:\w+|"\w+")
+            (?:
+              # "table_name"."column_name" | function(one or no argument)
+              ((?:\w+\.|"\w+"\.)?(?:\w+|"\w+")) | \w+\((?:|\g<2>)\)
+            )
             (?:(?:\s+AS)?\s+(?:\w+|"\w+"))?
           )
           (?:\s*,\s*\g<1>)*
@@ -66,7 +69,10 @@ module ActiveRecord
         COLUMN_NAME_WITH_ORDER = /
           \A
           (
-            (?:\w+\.|"\w+"\.)?(?:\w+|"\w+")
+            (?:
+              # "table_name"."column_name" | function(one or no argument)
+              ((?:\w+\.|"\w+"\.)?(?:\w+|"\w+")) | \w+\((?:|\g<2>)\)
+            )
             (?:\s+ASC|\s+DESC)?
           )
           (?:\s*,\s*\g<1>)*
author	Ryuta Kamizono <kamipo@gmail.com>	2019-06-09 08:01:10 +0900
committer	Ryuta Kamizono <kamipo@gmail.com>	2019-06-10 07:36:58 +0900
commit	64d8c54e16ee9ad3b591501401d6c437304e1308 (patch)
tree	096ed28c86eab7a412b0cdbd999dbbdd7529a39f /activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
parent	6607ecb2a1ccc9b43cfb8db2d06dc5301a5320ba (diff)
download	rails-64d8c54e16ee9ad3b591501401d6c437304e1308.tar.gz rails-64d8c54e16ee9ad3b591501401d6c437304e1308.tar.bz2 rails-64d8c54e16ee9ad3b591501401d6c437304e1308.zip