Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Allow column name with function (e.g. `length(title)`) as safe SQL string | Ryuta Kamizono | 2019-06-10 | 1 | -27/+28 |
| | | | | | | | | | | | | | | | | Currently, almost all "Dangerous query method" warnings are false alarm. As long as almost all the warnings are false alarm, developers think "Let's ignore the warnings by using `Arel.sql()`, it actually is false alarm in practice.", so I think we should effort to reduce false alarm in order to make the warnings valuable. This allows column name with function (e.g. `length(title)`) as safe SQL string, which is very common false alarm pattern, even in the our codebase. Related 6c82b6c99, 6607ecb2a, #36420. Fixes #32995. | ||||
* | Allow `column_name AS alias` as safe SQL string | Ryuta Kamizono | 2019-06-10 | 1 | -0/+10 |
| | |||||
* | Allow quoted identifier string as safe SQL string | Ryuta Kamizono | 2019-06-06 | 1 | -4/+26 |
| | | | | | | | | | | | | | Currently `posts.title` is regarded as a safe SQL string, but `"posts"."title"` (it is a result of `quote_table_name("posts.title")`) is regarded as an unsafe SQL string even though a result of `quote_table_name` should obviously be regarded as a safe SQL string, since the column name matcher doesn't respect quotation, it is a little annoying. This changes the column name matcher to allow quoted identifiers as safe SQL string, now all results of the `quote_table_name` are regarded as safe SQL string. | ||||
* | whitelist NULLS { FIRST | LAST } in order clauses | Xavier Noria | 2018-03-06 | 1 | -0/+20 |
| | |||||
* | Merge pull request #27947 from mastahyeti/unsafe_raw_sql | Matthew Draper | 2017-11-14 | 1 | -16/+12 |
| | | | | Disallow raw SQL in dangerous AR methods | ||||
* | use database agnostic function/quoting in test | Ben Toews | 2017-11-09 | 1 | -4/+4 |
| | |||||
* | push order arg checks down to allow for binds | Ben Toews | 2017-11-09 | 1 | -0/+36 |
| | |||||
* | try using regexes | Ben Toews | 2017-11-09 | 1 | -2/+2 |
| | |||||
* | allow table name and direction in string order arg | Ben Toews | 2017-11-09 | 1 | -1/+41 |
| | |||||
* | remove :enabled option | Ben Toews | 2017-11-09 | 1 | -54/+50 |
| | |||||
* | make tests more verbose/explicit | Ben Toews | 2017-11-09 | 1 | -78/+96 |
| | |||||
* | allow Arel.sql() for pluck | Ben Toews | 2017-11-09 | 1 | -17/+53 |
| | |||||
* | add config to check arguments to unsafe AR methods | Ben Toews | 2017-11-09 | 1 | -0/+177 |