From 2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3 Mon Sep 17 00:00:00 2001
From: Ryuta Kamizono <kamipo@gmail.com>
Date: Mon, 18 Mar 2019 06:47:40 +0900
Subject: Add test case to prevent possible SQL injection

---
 activerecord/lib/arel/visitors/to_sql.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'activerecord/lib/arel/visitors/to_sql.rb')

diff --git a/activerecord/lib/arel/visitors/to_sql.rb b/activerecord/lib/arel/visitors/to_sql.rb
index 7e3e265208..72efac72bf 100644
--- a/activerecord/lib/arel/visitors/to_sql.rb
+++ b/activerecord/lib/arel/visitors/to_sql.rb
@@ -805,7 +805,9 @@ module Arel # :nodoc: all
         end
 
         def sanitize_as_sql_comment(o)
-          o.expr.map { |v| v.gsub(%r{ /\*\+?\s* | \s*\*/ }x, "") }
+          o.expr.map { |v|
+            v.gsub(%r{ (/ (?: | \g<1>) \*) \+? \s* | \s* (\* (?: | \g<2>) /) }x, "")
+          }
         end
 
         def collect_optimizer_hints(o, collector)
-- 
cgit v1.2.3