diff options
author | Matthew Draper <matthew@trebex.net> | 2017-11-14 23:27:50 +1030 |
---|---|---|
committer | Matthew Draper <matthew@trebex.net> | 2017-11-14 23:30:45 +1030 |
commit | a1ee43d2170dd6adf5a9f390df2b1dde45018a48 (patch) | |
tree | e1fd861d4e370e81c312aa1b4fde45eff48c08f1 /activerecord/lib/active_record/errors.rb | |
parent | ed100166874fb4a542c5aaba933a4cca5ed72269 (diff) | |
parent | 4a5b3ca972e867d9b9276dcd98b0a6b9b6fb7583 (diff) | |
download | rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.gz rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.bz2 rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.zip |
Merge pull request #27947 from mastahyeti/unsafe_raw_sql
Disallow raw SQL in dangerous AR methods
Diffstat (limited to 'activerecord/lib/active_record/errors.rb')
-rw-r--r-- | activerecord/lib/active_record/errors.rb | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/activerecord/lib/active_record/errors.rb b/activerecord/lib/active_record/errors.rb index f77cd23e22..7382879fce 100644 --- a/activerecord/lib/active_record/errors.rb +++ b/activerecord/lib/active_record/errors.rb @@ -342,4 +342,29 @@ module ActiveRecord # StatementTimeout will be raised when statement timeout exceeded. class StatementTimeout < StatementInvalid end + + # UnknownAttributeReference is raised when an unknown and potentially unsafe + # value is passed to a query method when allow_unsafe_raw_sql is set to + # :disabled. For example, passing a non column name value to a relation's + # #order method might cause this exception. + # + # When working around this exception, caution should be taken to avoid SQL + # injection vulnerabilities when passing user-provided values to query + # methods. Known-safe values can be passed to query methods by wrapping them + # in Arel.sql. + # + # For example, with allow_unsafe_raw_sql set to :disabled, the following + # code would raise this exception: + # + # Post.order("length(title)").first + # + # The desired result can be accomplished by wrapping the known-safe string + # in Arel.sql: + # + # Post.order(Arel.sql("length(title)")).first + # + # Again, such a workaround should *not* be used when passing user-provided + # values, such as request parameters or model attributes to query methods. + class UnknownAttributeReference < ActiveRecordError + end end |