aboutsummaryrefslogtreecommitdiffstats
path: root/activerecord/lib/active_record/connection_adapters
diff options
context:
space:
mode:
authorRyuta Kamizono <kamipo@gmail.com>2019-06-09 08:01:10 +0900
committerRyuta Kamizono <kamipo@gmail.com>2019-06-10 07:36:58 +0900
commit64d8c54e16ee9ad3b591501401d6c437304e1308 (patch)
tree096ed28c86eab7a412b0cdbd999dbbdd7529a39f /activerecord/lib/active_record/connection_adapters
parent6607ecb2a1ccc9b43cfb8db2d06dc5301a5320ba (diff)
downloadrails-64d8c54e16ee9ad3b591501401d6c437304e1308.tar.gz
rails-64d8c54e16ee9ad3b591501401d6c437304e1308.tar.bz2
rails-64d8c54e16ee9ad3b591501401d6c437304e1308.zip
Allow column name with function (e.g. `length(title)`) as safe SQL string
Currently, almost all "Dangerous query method" warnings are false alarm. As long as almost all the warnings are false alarm, developers think "Let's ignore the warnings by using `Arel.sql()`, it actually is false alarm in practice.", so I think we should effort to reduce false alarm in order to make the warnings valuable. This allows column name with function (e.g. `length(title)`) as safe SQL string, which is very common false alarm pattern, even in the our codebase. Related 6c82b6c99, 6607ecb2a, #36420. Fixes #32995.
Diffstat (limited to 'activerecord/lib/active_record/connection_adapters')
-rw-r--r--activerecord/lib/active_record/connection_adapters/abstract/quoting.rb10
-rw-r--r--activerecord/lib/active_record/connection_adapters/mysql/quoting.rb10
-rw-r--r--activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb10
-rw-r--r--activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb10
4 files changed, 32 insertions, 8 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
index e34f4f745f..1b6ba8ce97 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
@@ -158,7 +158,10 @@ module ActiveRecord
COLUMN_NAME = /
\A
(
- (?:\w+\.)?\w+
+ (?:
+ # table_name.column_name | function(one or no argument)
+ ((?:\w+\.)?\w+) | \w+\((?:|\g<2>)\)
+ )
(?:(?:\s+AS)?\s+\w+)?
)
(?:\s*,\s*\g<1>)*
@@ -179,7 +182,10 @@ module ActiveRecord
COLUMN_NAME_WITH_ORDER = /
\A
(
- (?:\w+\.)?\w+
+ (?:
+ # table_name.column_name | function(one or no argument)
+ ((?:\w+\.)?\w+) | \w+\((?:|\g<2>)\)
+ )
(?:\s+ASC|\s+DESC)?
(?:\s+NULLS\s+(?:FIRST|LAST))?
)
diff --git a/activerecord/lib/active_record/connection_adapters/mysql/quoting.rb b/activerecord/lib/active_record/connection_adapters/mysql/quoting.rb
index a0829b1115..dfed5471f4 100644
--- a/activerecord/lib/active_record/connection_adapters/mysql/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/mysql/quoting.rb
@@ -43,7 +43,10 @@ module ActiveRecord
COLUMN_NAME = /
\A
(
- (?:\w+\.|`\w+`\.)?(?:\w+|`\w+`)
+ (?:
+ # `table_name`.`column_name` | function(one or no argument)
+ ((?:\w+\.|`\w+`\.)?(?:\w+|`\w+`)) | \w+\((?:|\g<2>)\)
+ )
(?:(?:\s+AS)?\s+(?:\w+|`\w+`))?
)
(?:\s*,\s*\g<1>)*
@@ -53,7 +56,10 @@ module ActiveRecord
COLUMN_NAME_WITH_ORDER = /
\A
(
- (?:\w+\.|`\w+`\.)?(?:\w+|`\w+`)
+ (?:
+ # `table_name`.`column_name` | function(one or no argument)
+ ((?:\w+\.|`\w+`\.)?(?:\w+|`\w+`)) | \w+\((?:|\g<2>)\)
+ )
(?:\s+ASC|\s+DESC)?
)
(?:\s*,\s*\g<1>)*
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
index d18c5c5c12..0c800dca83 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
@@ -89,7 +89,10 @@ module ActiveRecord
COLUMN_NAME = /
\A
(
- (?:\w+\.|"\w+"\.)?(?:\w+|"\w+")(?:::\w+)?
+ (?:
+ # "table_name"."column_name"::type_name | function(one or no argument)::type_name
+ ((?:\w+\.|"\w+"\.)?(?:\w+|"\w+")(?:::\w+)?) | \w+\((?:|\g<2>)\)(?:::\w+)?
+ )
(?:(?:\s+AS)?\s+(?:\w+|"\w+"))?
)
(?:\s*,\s*\g<1>)*
@@ -99,7 +102,10 @@ module ActiveRecord
COLUMN_NAME_WITH_ORDER = /
\A
(
- (?:\w+\.|"\w+"\.)?(?:\w+|"\w+")(?:::\w+)?
+ (?:
+ # "table_name"."column_name"::type_name | function(one or no argument)::type_name
+ ((?:\w+\.|"\w+"\.)?(?:\w+|"\w+")(?:::\w+)?) | \w+\((?:|\g<2>)\)(?:::\w+)?
+ )
(?:\s+ASC|\s+DESC)?
(?:\s+NULLS\s+(?:FIRST|LAST))?
)
diff --git a/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb b/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
index 5d6932e4ca..54808de714 100644
--- a/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/sqlite3/quoting.rb
@@ -56,7 +56,10 @@ module ActiveRecord
COLUMN_NAME = /
\A
(
- (?:\w+\.|"\w+"\.)?(?:\w+|"\w+")
+ (?:
+ # "table_name"."column_name" | function(one or no argument)
+ ((?:\w+\.|"\w+"\.)?(?:\w+|"\w+")) | \w+\((?:|\g<2>)\)
+ )
(?:(?:\s+AS)?\s+(?:\w+|"\w+"))?
)
(?:\s*,\s*\g<1>)*
@@ -66,7 +69,10 @@ module ActiveRecord
COLUMN_NAME_WITH_ORDER = /
\A
(
- (?:\w+\.|"\w+"\.)?(?:\w+|"\w+")
+ (?:
+ # "table_name"."column_name" | function(one or no argument)
+ ((?:\w+\.|"\w+"\.)?(?:\w+|"\w+")) | \w+\((?:|\g<2>)\)
+ )
(?:\s+ASC|\s+DESC)?
)
(?:\s*,\s*\g<1>)*