Merge pull request #27947 from mastahyeti/unsafe_raw_sql

Disallow raw SQL in dangerous AR methods
author: Matthew Draper <matthew@trebex.net> 2017-11-14 23:27:50 +1030
committer: Matthew Draper <matthew@trebex.net> 2017-11-14 23:30:45 +1030
commit: a1ee43d2170dd6adf5a9f390df2b1dde45018a48 (patch)
tree: e1fd861d4e370e81c312aa1b4fde45eff48c08f1 /activerecord/test/cases/associations
parent: ed100166874fb4a542c5aaba933a4cca5ed72269 (diff)
parent: 4a5b3ca972e867d9b9276dcd98b0a6b9b6fb7583 (diff)
download: rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.gz
rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.bz2
rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/activerecord/test/cases/associations/eager_test.rb b/activerecord/test/cases/associations/eager_test.rb
index 9afe6a893c..9a042c74db 100644
--- a/activerecord/test/cases/associations/eager_test.rb
+++ b/activerecord/test/cases/associations/eager_test.rb
@@ -427,7 +427,7 @@ class EagerAssociationTest < ActiveRecord::TestCase
   def test_eager_association_loading_with_belongs_to_and_order_string_with_quoted_table_name
     quoted_posts_id = Comment.connection.quote_table_name("posts") + "." + Comment.connection.quote_column_name("id")
     assert_nothing_raised do
-      Comment.includes(:post).references(:posts).order(quoted_posts_id)
+      Comment.includes(:post).references(:posts).order(Arel.sql(quoted_posts_id))
     end
   end
 
@@ -874,14 +874,14 @@ class EagerAssociationTest < ActiveRecord::TestCase
       posts(:thinking, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: "UPPER(posts.title)", limit: 2, offset: 1
+        order: Arel.sql("UPPER(posts.title)"), limit: 2, offset: 1
       ).to_a
     )
     assert_equal(
       posts(:sti_post_and_comments, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: "UPPER(posts.title) DESC", limit: 2, offset: 1
+        order: Arel.sql("UPPER(posts.title) DESC"), limit: 2, offset: 1
       ).to_a
     )
   end
@@ -891,14 +891,14 @@ class EagerAssociationTest < ActiveRecord::TestCase
       posts(:thinking, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: ["UPPER(posts.title)", "posts.id"], limit: 2, offset: 1
+        order: [Arel.sql("UPPER(posts.title)"), "posts.id"], limit: 2, offset: 1
       ).to_a
     )
     assert_equal(
       posts(:sti_post_and_comments, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: ["UPPER(posts.title) DESC", "posts.id"], limit: 2, offset: 1
+        order: [Arel.sql("UPPER(posts.title) DESC"), "posts.id"], limit: 2, offset: 1
       ).to_a
     )
   end
author	Matthew Draper <matthew@trebex.net>	2017-11-14 23:27:50 +1030
committer	Matthew Draper <matthew@trebex.net>	2017-11-14 23:30:45 +1030
commit	a1ee43d2170dd6adf5a9f390df2b1dde45018a48 (patch)
tree	e1fd861d4e370e81c312aa1b4fde45eff48c08f1 /activerecord/test/cases/associations
parent	ed100166874fb4a542c5aaba933a4cca5ed72269 (diff)
parent	4a5b3ca972e867d9b9276dcd98b0a6b9b6fb7583 (diff)
download	rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.gz rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.bz2 rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.zip