Merge pull request #27947 from mastahyeti/unsafe_raw_sql

Disallow raw SQL in dangerous AR methods
author: Matthew Draper <matthew@trebex.net> 2017-11-14 23:27:50 +1030
committer: Matthew Draper <matthew@trebex.net> 2017-11-14 23:30:45 +1030
commit: a1ee43d2170dd6adf5a9f390df2b1dde45018a48 (patch)
tree: e1fd861d4e370e81c312aa1b4fde45eff48c08f1 /activerecord/test
parent: ed100166874fb4a542c5aaba933a4cca5ed72269 (diff)
parent: 4a5b3ca972e867d9b9276dcd98b0a6b9b6fb7583 (diff)
download: rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.gz
rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.bz2
rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.zip
6 files changed, 334 insertions, 31 deletions
diff --git a/activerecord/test/cases/associations/eager_test.rb b/activerecord/test/cases/associations/eager_test.rb
index 9afe6a893c..9a042c74db 100644
--- a/activerecord/test/cases/associations/eager_test.rb
+++ b/activerecord/test/cases/associations/eager_test.rb
@@ -427,7 +427,7 @@ class EagerAssociationTest < ActiveRecord::TestCase
   def test_eager_association_loading_with_belongs_to_and_order_string_with_quoted_table_name
     quoted_posts_id = Comment.connection.quote_table_name("posts") + "." + Comment.connection.quote_column_name("id")
     assert_nothing_raised do
-      Comment.includes(:post).references(:posts).order(quoted_posts_id)
+      Comment.includes(:post).references(:posts).order(Arel.sql(quoted_posts_id))
     end
   end
 
@@ -874,14 +874,14 @@ class EagerAssociationTest < ActiveRecord::TestCase
       posts(:thinking, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: "UPPER(posts.title)", limit: 2, offset: 1
+        order: Arel.sql("UPPER(posts.title)"), limit: 2, offset: 1
       ).to_a
     )
     assert_equal(
       posts(:sti_post_and_comments, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: "UPPER(posts.title) DESC", limit: 2, offset: 1
+        order: Arel.sql("UPPER(posts.title) DESC"), limit: 2, offset: 1
       ).to_a
     )
   end
@@ -891,14 +891,14 @@ class EagerAssociationTest < ActiveRecord::TestCase
       posts(:thinking, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: ["UPPER(posts.title)", "posts.id"], limit: 2, offset: 1
+        order: [Arel.sql("UPPER(posts.title)"), "posts.id"], limit: 2, offset: 1
       ).to_a
     )
     assert_equal(
       posts(:sti_post_and_comments, :sti_comments),
       Post.all.merge!(
         includes: [:author, :comments], where: { "authors.name" => "David" },
-        order: ["UPPER(posts.title) DESC", "posts.id"], limit: 2, offset: 1
+        order: [Arel.sql("UPPER(posts.title) DESC"), "posts.id"], limit: 2, offset: 1
       ).to_a
     )
   end
diff --git a/activerecord/test/cases/calculations_test.rb b/activerecord/test/cases/calculations_test.rb
index 66bc14b5ab..55b50e4f84 100644
--- a/activerecord/test/cases/calculations_test.rb
+++ b/activerecord/test/cases/calculations_test.rb
@@ -663,14 +663,14 @@ class CalculationsTest < ActiveRecord::TestCase
   end
 
   def test_pluck_with_selection_clause
-    assert_equal [50, 53, 55, 60], Account.pluck("DISTINCT credit_limit").sort
-    assert_equal [50, 53, 55, 60], Account.pluck("DISTINCT accounts.credit_limit").sort
-    assert_equal [50, 53, 55, 60], Account.pluck("DISTINCT(credit_limit)").sort
+    assert_equal [50, 53, 55, 60], Account.pluck(Arel.sql("DISTINCT credit_limit")).sort
+    assert_equal [50, 53, 55, 60], Account.pluck(Arel.sql("DISTINCT accounts.credit_limit")).sort
+    assert_equal [50, 53, 55, 60], Account.pluck(Arel.sql("DISTINCT(credit_limit)")).sort
 
     # MySQL returns "SUM(DISTINCT(credit_limit))" as the column name unless
     # an alias is provided.  Without the alias, the column cannot be found
     # and properly typecast.
-    assert_equal [50 + 53 + 55 + 60], Account.pluck("SUM(DISTINCT(credit_limit)) as credit_limit")
+    assert_equal [50 + 53 + 55 + 60], Account.pluck(Arel.sql("SUM(DISTINCT(credit_limit)) as credit_limit"))
   end
 
   def test_plucks_with_ids
@@ -772,7 +772,7 @@ class CalculationsTest < ActiveRecord::TestCase
     companies = Company.order(:name).limit(3).load
 
     assert_queries 1 do
-      assert_equal ["37signals", "Apex", "Ex Nihilo"], companies.pluck("DISTINCT name")
+      assert_equal ["37signals", "Apex", "Ex Nihilo"], companies.pluck(Arel.sql("DISTINCT name"))
     end
   end
 
diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb
index d8bc917e7f..1268949ba9 100644
--- a/activerecord/test/cases/finder_test.rb
+++ b/activerecord/test/cases/finder_test.rb
@@ -239,7 +239,7 @@ class FinderTest < ActiveRecord::TestCase
 
   # Ensure +exists?+ runs without an error by excluding order value.
   def test_exists_with_order
-    assert_equal true, Topic.order("invalid sql here").exists?
+    assert_equal true, Topic.order(Arel.sql("invalid sql here")).exists?
   end
 
   def test_exists_with_joins
@@ -652,7 +652,7 @@ class FinderTest < ActiveRecord::TestCase
 
   def test_last_with_irreversible_order
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("coalesce(author_name, title)").last
+      Topic.order(Arel.sql("coalesce(author_name, title)")).last
     end
   end
 
diff --git a/activerecord/test/cases/relations_test.rb b/activerecord/test/cases/relations_test.rb
index eec43ef79e..50ad1d5b26 100644
--- a/activerecord/test/cases/relations_test.rb
+++ b/activerecord/test/cases/relations_test.rb
@@ -250,7 +250,7 @@ class RelationTest < ActiveRecord::TestCase
   end
 
   def test_reverse_order_with_function
-    topics = Topic.order("length(title)").reverse_order
+    topics = Topic.order(Arel.sql("length(title)")).reverse_order
     assert_equal topics(:second).title, topics.first.title
   end
 
@@ -260,24 +260,24 @@ class RelationTest < ActiveRecord::TestCase
   end
 
   def test_reverse_order_with_function_other_predicates
-    topics = Topic.order("author_name, length(title), id").reverse_order
+    topics = Topic.order(Arel.sql("author_name, length(title), id")).reverse_order
     assert_equal topics(:second).title, topics.first.title
-    topics = Topic.order("length(author_name), id, length(title)").reverse_order
+    topics = Topic.order(Arel.sql("length(author_name), id, length(title)")).reverse_order
     assert_equal topics(:fifth).title, topics.first.title
   end
 
   def test_reverse_order_with_multiargument_function
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("concat(author_name, title)").reverse_order
+      Topic.order(Arel.sql("concat(author_name, title)")).reverse_order
     end
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("concat(lower(author_name), title)").reverse_order
+      Topic.order(Arel.sql("concat(lower(author_name), title)")).reverse_order
     end
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("concat(author_name, lower(title))").reverse_order
+      Topic.order(Arel.sql("concat(author_name, lower(title))")).reverse_order
     end
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("concat(lower(author_name), title, length(title)").reverse_order
+      Topic.order(Arel.sql("concat(lower(author_name), title, length(title)")).reverse_order
     end
   end
 
@@ -289,10 +289,10 @@ class RelationTest < ActiveRecord::TestCase
 
   def test_reverse_order_with_nulls_first_or_last
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("title NULLS FIRST").reverse_order
+      Topic.order(Arel.sql("title NULLS FIRST")).reverse_order
     end
     assert_raises(ActiveRecord::IrreversibleOrderError) do
-      Topic.order("title nulls last").reverse_order
+      Topic.order(Arel.sql("title nulls last")).reverse_order
     end
   end
 
@@ -385,29 +385,29 @@ class RelationTest < ActiveRecord::TestCase
 
   def test_finding_with_cross_table_order_and_limit
     tags = Tag.includes(:taggings).
-              order("tags.name asc", "taggings.taggable_id asc", "REPLACE('abc', taggings.taggable_type, taggings.taggable_type)").
+              order("tags.name asc", "taggings.taggable_id asc", Arel.sql("REPLACE('abc', taggings.taggable_type, taggings.taggable_type)")).
               limit(1).to_a
     assert_equal 1, tags.length
   end
 
   def test_finding_with_complex_order_and_limit
-    tags = Tag.includes(:taggings).references(:taggings).order("REPLACE('abc', taggings.taggable_type, taggings.taggable_type)").limit(1).to_a
+    tags = Tag.includes(:taggings).references(:taggings).order(Arel.sql("REPLACE('abc', taggings.taggable_type, taggings.taggable_type)")).limit(1).to_a
     assert_equal 1, tags.length
   end
 
   def test_finding_with_complex_order
-    tags = Tag.includes(:taggings).references(:taggings).order("REPLACE('abc', taggings.taggable_type, taggings.taggable_type)").to_a
+    tags = Tag.includes(:taggings).references(:taggings).order(Arel.sql("REPLACE('abc', taggings.taggable_type, taggings.taggable_type)")).to_a
     assert_equal 3, tags.length
   end
 
   def test_finding_with_sanitized_order
-    query = Tag.order(["field(id, ?)", [1, 3, 2]]).to_sql
+    query = Tag.order([Arel.sql("field(id, ?)"), [1, 3, 2]]).to_sql
     assert_match(/field\(id, 1,3,2\)/, query)
 
-    query = Tag.order(["field(id, ?)", []]).to_sql
+    query = Tag.order([Arel.sql("field(id, ?)"), []]).to_sql
     assert_match(/field\(id, NULL\)/, query)
 
-    query = Tag.order(["field(id, ?)", nil]).to_sql
+    query = Tag.order([Arel.sql("field(id, ?)"), nil]).to_sql
     assert_match(/field\(id, NULL\)/, query)
   end
 
@@ -1579,7 +1579,7 @@ class RelationTest < ActiveRecord::TestCase
     scope = Post.order("comments.body")
     assert_equal ["comments"], scope.references_values
 
-    scope = Post.order("#{Comment.quoted_table_name}.#{Comment.quoted_primary_key}")
+    scope = Post.order(Arel.sql("#{Comment.quoted_table_name}.#{Comment.quoted_primary_key}"))
     if current_adapter?(:OracleAdapter)
       assert_equal ["COMMENTS"], scope.references_values
     else
@@ -1596,7 +1596,7 @@ class RelationTest < ActiveRecord::TestCase
     scope = Post.order("comments.body asc")
     assert_equal ["comments"], scope.references_values
 
-    scope = Post.order("foo(comments.body)")
+    scope = Post.order(Arel.sql("foo(comments.body)"))
     assert_equal [], scope.references_values
   end
 
@@ -1604,7 +1604,7 @@ class RelationTest < ActiveRecord::TestCase
     scope = Post.reorder("comments.body")
     assert_equal %w(comments), scope.references_values
 
-    scope = Post.reorder("#{Comment.quoted_table_name}.#{Comment.quoted_primary_key}")
+    scope = Post.reorder(Arel.sql("#{Comment.quoted_table_name}.#{Comment.quoted_primary_key}"))
     if current_adapter?(:OracleAdapter)
       assert_equal ["COMMENTS"], scope.references_values
     else
@@ -1621,7 +1621,7 @@ class RelationTest < ActiveRecord::TestCase
     scope = Post.reorder("comments.body asc")
     assert_equal %w(comments), scope.references_values
 
-    scope = Post.reorder("foo(comments.body)")
+    scope = Post.reorder(Arel.sql("foo(comments.body)"))
     assert_equal [], scope.references_values
   end
 
diff --git a/activerecord/test/cases/unsafe_raw_sql_test.rb b/activerecord/test/cases/unsafe_raw_sql_test.rb
new file mode 100644
index 0000000000..72d4997d0b
--- /dev/null
+++ b/activerecord/test/cases/unsafe_raw_sql_test.rb
@@ -0,0 +1,299 @@
+# frozen_string_literal: true
+
+require "cases/helper"
+require "models/post"
+require "models/comment"
+
+class UnsafeRawSqlTest < ActiveRecord::TestCase
+  fixtures :posts, :comments
+
+  test "order: allows string column name" do
+    ids_expected = Post.order(Arel.sql("title")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order("title").pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order("title").pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows symbol column name" do
+    ids_expected = Post.order(Arel.sql("title")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(:title).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(:title).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows downcase symbol direction" do
+    ids_expected = Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(title: :asc).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(title: :asc).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows upcase symbol direction" do
+    ids_expected = Post.order(Arel.sql("title") => Arel.sql("ASC")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(title: :ASC).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(title: :ASC).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows string direction" do
+    ids_expected = Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(title: "asc").pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(title: "asc").pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows multiple columns" do
+    ids_expected = Post.order(Arel.sql("author_id"), Arel.sql("title")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(:author_id, :title).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(:author_id, :title).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows mixed" do
+    ids_expected = Post.order(Arel.sql("author_id"), Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(:author_id, title: :asc).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(:author_id, title: :asc).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows table and column name" do
+    ids_expected = Post.order(Arel.sql("title")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order("posts.title").pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order("posts.title").pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows column name and direction in string" do
+    ids_expected = Post.order(Arel.sql("title desc")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order("title desc").pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order("title desc").pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: allows table name, column name and direction in string" do
+    ids_expected = Post.order(Arel.sql("title desc")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order("posts.title desc").pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order("posts.title desc").pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: disallows invalid column name" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.order("len(title) asc").pluck(:id)
+      end
+    end
+  end
+
+  test "order: disallows invalid direction" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ArgumentError) do
+        Post.order(title: :foo).pluck(:id)
+      end
+    end
+  end
+
+  test "order: disallows invalid column with direction" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.order("len(title)" => :asc).pluck(:id)
+      end
+    end
+  end
+
+  test "order: always allows Arel" do
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(Arel.sql("length(title)")).pluck(:title) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(Arel.sql("length(title)")).pluck(:title) }
+
+    assert_equal ids_depr, ids_disabled
+  end
+
+  test "order: allows Arel.sql with binds" do
+    ids_expected = Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz'), id")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order([Arel.sql("REPLACE(title, ?, ?), id"), "misc", "zzzz"]).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order([Arel.sql("REPLACE(title, ?, ?), id"), "misc", "zzzz"]).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: disallows invalid bind statement" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.order(["REPLACE(title, ?, ?), id", "misc", "zzzz"]).pluck(:id)
+      end
+    end
+  end
+
+  test "order: disallows invalid Array arguments" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.order(["author_id", "length(title)"]).pluck(:id)
+      end
+    end
+  end
+
+  test "order: allows valid Array arguments" do
+    ids_expected = Post.order(Arel.sql("author_id, length(title)")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(["author_id", Arel.sql("length(title)")]).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(["author_id", Arel.sql("length(title)")]).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: logs deprecation warning for unrecognized column" do
+    with_unsafe_raw_sql_deprecated do
+      assert_deprecated(/Dangerous query method/) do
+        Post.order("length(title)")
+      end
+    end
+  end
+
+  test "pluck: allows string column name" do
+    titles_expected = Post.pluck(Arel.sql("title"))
+
+    titles_depr     = with_unsafe_raw_sql_deprecated { Post.pluck("title") }
+    titles_disabled = with_unsafe_raw_sql_disabled   { Post.pluck("title") }
+
+    assert_equal titles_expected, titles_depr
+    assert_equal titles_expected, titles_disabled
+  end
+
+  test "pluck: allows symbol column name" do
+    titles_expected = Post.pluck(Arel.sql("title"))
+
+    titles_depr     = with_unsafe_raw_sql_deprecated { Post.pluck(:title) }
+    titles_disabled = with_unsafe_raw_sql_disabled   { Post.pluck(:title) }
+
+    assert_equal titles_expected, titles_depr
+    assert_equal titles_expected, titles_disabled
+  end
+
+  test "pluck: allows multiple column names" do
+    values_expected = Post.pluck(Arel.sql("title"), Arel.sql("id"))
+
+    values_depr     = with_unsafe_raw_sql_deprecated { Post.pluck(:title, :id) }
+    values_disabled = with_unsafe_raw_sql_disabled   { Post.pluck(:title, :id) }
+
+    assert_equal values_expected, values_depr
+    assert_equal values_expected, values_disabled
+  end
+
+  test "pluck: allows column names with includes" do
+    values_expected = Post.includes(:comments).pluck(Arel.sql("title"), Arel.sql("id"))
+
+    values_depr     = with_unsafe_raw_sql_deprecated { Post.includes(:comments).pluck(:title, :id) }
+    values_disabled = with_unsafe_raw_sql_disabled   { Post.includes(:comments).pluck(:title, :id) }
+
+    assert_equal values_expected, values_depr
+    assert_equal values_expected, values_disabled
+  end
+
+  test "pluck: allows auto-generated attributes" do
+    values_expected = Post.pluck(Arel.sql("tags_count"))
+
+    values_depr     = with_unsafe_raw_sql_deprecated { Post.pluck(:tags_count) }
+    values_disabled = with_unsafe_raw_sql_disabled   { Post.pluck(:tags_count) }
+
+    assert_equal values_expected, values_depr
+    assert_equal values_expected, values_disabled
+  end
+
+  test "pluck: allows table and column names" do
+    titles_expected = Post.pluck(Arel.sql("title"))
+
+    titles_depr     = with_unsafe_raw_sql_deprecated { Post.pluck("posts.title") }
+    titles_disabled = with_unsafe_raw_sql_disabled   { Post.pluck("posts.title") }
+
+    assert_equal titles_expected, titles_depr
+    assert_equal titles_expected, titles_disabled
+  end
+
+  test "pluck: disallows invalid column name" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.pluck("length(title)")
+      end
+    end
+  end
+
+  test "pluck: disallows invalid column name amongst valid names" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.pluck(:title, "length(title)")
+      end
+    end
+  end
+
+  test "pluck: disallows invalid column names with includes" do
+    with_unsafe_raw_sql_disabled do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.includes(:comments).pluck(:title, "length(title)")
+      end
+    end
+  end
+
+  test "pluck: always allows Arel" do
+    values_depr     = with_unsafe_raw_sql_deprecated { Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) }
+    values_disabled = with_unsafe_raw_sql_disabled   { Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) }
+
+    assert_equal values_depr, values_disabled
+  end
+
+  test "pluck: logs deprecation warning" do
+    with_unsafe_raw_sql_deprecated do
+      assert_deprecated(/Dangerous query method/) do
+        Post.includes(:comments).pluck(:title, "length(title)")
+      end
+    end
+  end
+
+  def with_unsafe_raw_sql_disabled(&blk)
+    with_config(:disabled, &blk)
+  end
+
+  def with_unsafe_raw_sql_deprecated(&blk)
+    with_config(:deprecated, &blk)
+  end
+
+  def with_config(new_value, &blk)
+    old_value = ActiveRecord::Base.allow_unsafe_raw_sql
+    ActiveRecord::Base.allow_unsafe_raw_sql = new_value
+    blk.call
+  ensure
+    ActiveRecord::Base.allow_unsafe_raw_sql = old_value
+  end
+end
diff --git a/activerecord/test/models/post.rb b/activerecord/test/models/post.rb
index 7f064bf3dd..780a2c17f5 100644
--- a/activerecord/test/models/post.rb
+++ b/activerecord/test/models/post.rb
@@ -319,5 +319,9 @@ class FakeKlass
     def arel_attribute(name, table)
       table[name]
     end
+
+    def enforce_raw_sql_whitelist(*args)
+      # noop
+    end
   end
 end
author	Matthew Draper <matthew@trebex.net>	2017-11-14 23:27:50 +1030
committer	Matthew Draper <matthew@trebex.net>	2017-11-14 23:30:45 +1030
commit	a1ee43d2170dd6adf5a9f390df2b1dde45018a48 (patch)
tree	e1fd861d4e370e81c312aa1b4fde45eff48c08f1 /activerecord/test
parent	ed100166874fb4a542c5aaba933a4cca5ed72269 (diff)
parent	4a5b3ca972e867d9b9276dcd98b0a6b9b6fb7583 (diff)
download	rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.gz rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.tar.bz2 rails-a1ee43d2170dd6adf5a9f390df2b1dde45018a48.zip