aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--activerecord/test/cases/unsafe_raw_sql_test.rb174
1 files changed, 96 insertions, 78 deletions
diff --git a/activerecord/test/cases/unsafe_raw_sql_test.rb b/activerecord/test/cases/unsafe_raw_sql_test.rb
index 89eb02594a..53418bb914 100644
--- a/activerecord/test/cases/unsafe_raw_sql_test.rb
+++ b/activerecord/test/cases/unsafe_raw_sql_test.rb
@@ -8,70 +8,77 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
fixtures :posts, :comments
test "order: allows string column name" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order("title").pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("title")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order("title").pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order("title").pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("title")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: allows symbol column name" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(:title).pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("title")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(:title).pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(:title).pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("title")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: allows downcase symbol direction" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(title: :asc).pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(title: :asc).pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(title: :asc).pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: allows upcase symbol direction" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(title: :ASC).pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("title") => Arel.sql("ASC")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(title: :ASC).pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(title: :ASC).pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("title") => Arel.sql("ASC")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: allows string direction" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(title: "asc").pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(title: "asc").pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(title: "asc").pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: allows multiple columns" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(:author_id, :title).pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("author_id"), Arel.sql("title")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(:author_id, :title).pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(:author_id, :title).pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("author_id"), Arel.sql("title")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: allows mixed" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(:author_id, title: :asc).pluck(:id)
- end
+ ids_expected = Post.order(Arel.sql("author_id"), Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(:author_id, title: :asc).pluck(:id) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(:author_id, title: :asc).pluck(:id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.order(Arel.sql("author_id"), Arel.sql("title") => Arel.sql("asc")).pluck(:id)
+ assert_equal ids_expected, ids_enabled
+ assert_equal ids_expected, ids_disabled
end
test "order: disallows invalid column name" do
- with_config(:disabled) do
+ with_unsafe_raw_sql_disabled do
assert_raises(ActiveRecord::UnknownAttributeReference) do
Post.order("title asc").pluck(:id)
end
@@ -79,7 +86,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "order: disallows invalid direction" do
- with_config(:disabled) do
+ with_unsafe_raw_sql_disabled do
assert_raises(ArgumentError) do
Post.order(title: :foo).pluck(:id)
end
@@ -87,7 +94,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "order: disallows invalid column with direction" do
- with_config(:disabled) do
+ with_unsafe_raw_sql_disabled do
assert_raises(ActiveRecord::UnknownAttributeReference) do
Post.order(foo: :asc).pluck(:id)
end
@@ -95,15 +102,14 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "order: always allows Arel" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.order(Arel.sql("length(title)")).pluck(:title)
- end
+ ids_enabled = with_unsafe_raw_sql_enabled { Post.order(Arel.sql("length(title)")).pluck(:title) }
+ ids_disabled = with_unsafe_raw_sql_disabled { Post.order(Arel.sql("length(title)")).pluck(:title) }
- assert_equal enabled, disabled
+ assert_equal ids_enabled, ids_disabled
end
test "order: logs deprecation warning for unrecognized column" do
- with_config(:deprecated) do
+ with_unsafe_raw_sql_deprecated do
ActiveSupport::Deprecation.expects(:warn).with do |msg|
msg =~ /\ADangerous query method used with .*length\(title\)/
end
@@ -113,52 +119,57 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "pluck: allows string column name" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.pluck("title")
- end
+ titles_expected = Post.pluck(Arel.sql("title"))
+
+ titles_enabled = with_unsafe_raw_sql_enabled { Post.pluck("title") }
+ titles_disabled = with_unsafe_raw_sql_disabled { Post.pluck("title") }
- assert_equal enabled, disabled
- assert_equal disabled, Post.pluck(Arel.sql("title"))
+ assert_equal titles_expected, titles_enabled
+ assert_equal titles_expected, titles_disabled
end
test "pluck: allows symbol column name" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.pluck(:title)
- end
+ titles_expected = Post.pluck(Arel.sql("title"))
+
+ titles_enabled = with_unsafe_raw_sql_enabled { Post.pluck(:title) }
+ titles_disabled = with_unsafe_raw_sql_disabled { Post.pluck(:title) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.pluck(Arel.sql("title"))
+ assert_equal titles_expected, titles_enabled
+ assert_equal titles_expected, titles_disabled
end
test "pluck: allows multiple column names" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.pluck(:title, :id)
- end
+ values_expected = Post.pluck(Arel.sql("title"), Arel.sql("id"))
+
+ values_enabled = with_unsafe_raw_sql_enabled { Post.pluck(:title, :id) }
+ values_disabled = with_unsafe_raw_sql_disabled { Post.pluck(:title, :id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.pluck(Arel.sql("title"), Arel.sql("id"))
+ assert_equal values_expected, values_enabled
+ assert_equal values_expected, values_disabled
end
test "pluck: allows column names with includes" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.includes(:comments).pluck(:title, :id)
- end
+ values_expected = Post.includes(:comments).pluck(Arel.sql("title"), Arel.sql("id"))
+
+ values_enabled = with_unsafe_raw_sql_enabled { Post.includes(:comments).pluck(:title, :id) }
+ values_disabled = with_unsafe_raw_sql_disabled { Post.includes(:comments).pluck(:title, :id) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.includes(:comments).pluck(Arel.sql("title"), Arel.sql("id"))
+ assert_equal values_expected, values_enabled
+ assert_equal values_expected, values_disabled
end
test "pluck: allows auto-generated attributes" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.pluck(:tags_count)
- end
+ values_expected = Post.pluck(Arel.sql("tags_count"))
+
+ values_enabled = with_unsafe_raw_sql_enabled { Post.pluck(:tags_count) }
+ values_disabled = with_unsafe_raw_sql_disabled { Post.pluck(:tags_count) }
- assert_equal enabled, disabled
- assert_equal disabled, Post.pluck(Arel.sql("tags_count"))
+ assert_equal values_expected, values_enabled
+ assert_equal values_expected, values_disabled
end
test "pluck: disallows invalid column name" do
- with_config(:disabled) do
+ with_unsafe_raw_sql_disabled do
assert_raises(ActiveRecord::UnknownAttributeReference) do
Post.pluck("length(title)")
end
@@ -166,7 +177,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "pluck: disallows invalid column name amongst valid names" do
- with_config(:disabled) do
+ with_unsafe_raw_sql_disabled do
assert_raises(ActiveRecord::UnknownAttributeReference) do
Post.pluck(:title, "length(title)")
end
@@ -174,7 +185,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "pluck: disallows invalid column names with includes" do
- with_config(:disabled) do
+ with_unsafe_raw_sql_disabled do
assert_raises(ActiveRecord::UnknownAttributeReference) do
Post.includes(:comments).pluck(:title, "length(title)")
end
@@ -182,15 +193,14 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
test "pluck: always allows Arel" do
- enabled, disabled = with_configs(:enabled, :disabled) do
- Post.includes(:comments).pluck(:title, Arel.sql("length(title)"))
- end
+ values_enabled = with_unsafe_raw_sql_enabled { Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) }
+ values_disabled = with_unsafe_raw_sql_disabled { Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) }
- assert_equal enabled, disabled
+ assert_equal values_enabled, values_disabled
end
test "pluck: logs deprecation warning" do
- with_config(:deprecated) do
+ with_unsafe_raw_sql_deprecated do
ActiveSupport::Deprecation.expects(:warn).with do |msg|
msg =~ /\ADangerous query method used with .*length\(title\)/
end
@@ -199,8 +209,16 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
end
end
- def with_configs(*new_values, &blk)
- new_values.map { |nv| with_config(nv, &blk) }
+ def with_unsafe_raw_sql_enabled(&blk)
+ with_config(:enabled, &blk)
+ end
+
+ def with_unsafe_raw_sql_disabled(&blk)
+ with_config(:disabled, &blk)
+ end
+
+ def with_unsafe_raw_sql_deprecated(&blk)
+ with_config(:deprecated, &blk)
end
def with_config(new_value, &blk)