Add test case to prevent possible SQL injection

author: Ryuta Kamizono <kamipo@gmail.com> 2019-03-18 06:47:40 +0900
committer: Ryuta Kamizono <kamipo@gmail.com> 2019-03-18 06:52:41 +0900
commit: 2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3 (patch)
tree: c5aa4cb4e52fdc37ccb673f1349bb23787eb42ea /activerecord/lib/arel/visitors/to_sql.rb
parent: c399f7d07a88d333fa05a361c66a252d9fa462bb (diff)
download: rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.tar.gz
rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.tar.bz2
rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/activerecord/lib/arel/visitors/to_sql.rb b/activerecord/lib/arel/visitors/to_sql.rb
index 7e3e265208..72efac72bf 100644
--- a/activerecord/lib/arel/visitors/to_sql.rb
+++ b/activerecord/lib/arel/visitors/to_sql.rb
@@ -805,7 +805,9 @@ module Arel # :nodoc: all
         end
 
         def sanitize_as_sql_comment(o)
-          o.expr.map { |v| v.gsub(%r{ /\*\+?\s* | \s*\*/ }x, "") }
+          o.expr.map { |v|
+            v.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
+          }
         end
 
         def collect_optimizer_hints(o, collector)
author	Ryuta Kamizono <kamipo@gmail.com>	2019-03-18 06:47:40 +0900
committer	Ryuta Kamizono <kamipo@gmail.com>	2019-03-18 06:52:41 +0900
commit	2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3 (patch)
tree	c5aa4cb4e52fdc37ccb673f1349bb23787eb42ea /activerecord/lib/arel/visitors/to_sql.rb
parent	c399f7d07a88d333fa05a361c66a252d9fa462bb (diff)
download	rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.tar.gz rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.tar.bz2 rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.zip