Add test case to prevent possible SQL injection

1 files changed, 10 insertions, 0 deletions

diff --git a/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb b/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb
index 4fac7ffdc0..5e4bf232e1 100644
--- a/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb
@@ -17,13 +17,23 @@ if supports_optimizer_hints?
         posts = posts.select(:id).where(author_id: [0, 1])
         assert_includes posts.explain, "Seq Scan on posts"
       end
+    end
 
+    def test_optimizer_hints_is_sanitized
       assert_sql(%r{\ASELECT /\*\+ SeqScan\(posts\) \*/}) do
         posts = Post.optimizer_hints("/*+ SeqScan(posts) */")
         posts = posts.select(:id).where(author_id: [0, 1])
         assert_includes posts.explain, "Seq Scan on posts"
       end
 
+      assert_sql(%r{\ASELECT /\*\+  "posts"\.\*,  \*/}) do
+        posts = Post.optimizer_hints("**// \"posts\".*, //**")
+        posts = posts.select(:id).where(author_id: [0, 1])
+        assert_equal({ "id" => 1 }, posts.first.as_json)
+      end
+    end
+
+    def test_optimizer_hints_with_unscope
       assert_sql(%r{\ASELECT "posts"\."id"}) do
         posts = Post.optimizer_hints("/*+ SeqScan(posts) */")
         posts = posts.select(:id).where(author_id: [0, 1])