aboutsummaryrefslogtreecommitdiffstats
path: root/activerecord/lib/active_record/sanitization.rb
diff options
context:
space:
mode:
authorBen Toews <mastahyeti@gmail.com>2017-10-18 10:21:45 -0600
committerMatthew Draper <matthew@trebex.net>2017-11-09 22:42:15 +1030
commit8ef71ac4a119a4c03d78db2372b41ddcc8a95035 (patch)
tree69133ce1a019e79f121559d3e4fdf71b760c5148 /activerecord/lib/active_record/sanitization.rb
parentb76cc29865fb69389ffdb7bd9f8085aa86354f82 (diff)
downloadrails-8ef71ac4a119a4c03d78db2372b41ddcc8a95035.tar.gz
rails-8ef71ac4a119a4c03d78db2372b41ddcc8a95035.tar.bz2
rails-8ef71ac4a119a4c03d78db2372b41ddcc8a95035.zip
push order arg checks down to allow for binds
Diffstat (limited to 'activerecord/lib/active_record/sanitization.rb')
-rw-r--r--activerecord/lib/active_record/sanitization.rb6
1 files changed, 5 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb
index 4caf1145f0..232743d3b6 100644
--- a/activerecord/lib/active_record/sanitization.rb
+++ b/activerecord/lib/active_record/sanitization.rb
@@ -63,13 +63,17 @@ module ActiveRecord
# # => "id ASC"
def sanitize_sql_for_order(condition) # :doc:
if condition.is_a?(Array) && condition.first.to_s.include?("?")
+ enforce_raw_sql_whitelist([condition.first],
+ whitelist: AttributeMethods::ClassMethods::COLUMN_NAME_ORDER_WHITELIST
+ )
+
# Ensure we aren't dealing with a subclass of String that might
# override methods we use (eg. Arel::Nodes::SqlLiteral).
if condition.first.kind_of?(String) && !condition.first.instance_of?(String)
condition = [String.new(condition.first), *condition[1..-1]]
end
- sanitize_sql_array(condition)
+ Arel.sql(sanitize_sql_array(condition))
else
condition
end