From 8ef71ac4a119a4c03d78db2372b41ddcc8a95035 Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@gmail.com>
Date: Wed, 18 Oct 2017 10:21:45 -0600
Subject: push order arg checks down to allow for binds

---
 activerecord/test/cases/unsafe_raw_sql_test.rb | 36 ++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'activerecord/test/cases')

diff --git a/activerecord/test/cases/unsafe_raw_sql_test.rb b/activerecord/test/cases/unsafe_raw_sql_test.rb
index 18c6f4bae3..861df8f1da 100644
--- a/activerecord/test/cases/unsafe_raw_sql_test.rb
+++ b/activerecord/test/cases/unsafe_raw_sql_test.rb
@@ -138,6 +138,42 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase
     assert_equal ids_depr, ids_disabled
   end
 
+  test "order: allows Arel.sql with binds" do
+    ids_expected = Post.order(Arel.sql('INSTR(title, "comments"), id')).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order([Arel.sql("INSTR(title, ?), id"), "comments"]).pluck(:id) }
+    ids_disabled =  with_unsafe_raw_sql_disabled  { Post.order([Arel.sql("INSTR(title, ?), id"), "comments"]).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
+  test "order: disallows invalid bind statement" do
+    with_unsafe_raw_sql_disabled   do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.order(["INSTR(title, ?), id", "comments"]).pluck(:id)
+      end
+    end
+  end
+
+  test "order: disallows invalid Array arguments" do
+    with_unsafe_raw_sql_disabled   do
+      assert_raises(ActiveRecord::UnknownAttributeReference) do
+        Post.order(["author_id", "length(title)"]).pluck(:id)
+      end
+    end
+  end
+
+  test "order: allows valid Array arguments" do
+    ids_expected = Post.order(Arel.sql("author_id, length(title)")).pluck(:id)
+
+    ids_depr     = with_unsafe_raw_sql_deprecated { Post.order(["author_id", Arel.sql("length(title)")]).pluck(:id) }
+    ids_disabled = with_unsafe_raw_sql_disabled   { Post.order(["author_id", Arel.sql("length(title)")]).pluck(:id) }
+
+    assert_equal ids_expected, ids_depr
+    assert_equal ids_expected, ids_disabled
+  end
+
   test "order: logs deprecation warning for unrecognized column" do
     with_unsafe_raw_sql_deprecated do
       ActiveSupport::Deprecation.expects(:warn).with do |msg|
-- 
cgit v1.2.3