Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rails52] Use arel to fix "Dangerous query method" #6970

Merged
merged 1 commit into from
Apr 9, 2020
Merged

[Rails52] Use arel to fix "Dangerous query method" #6970

merged 1 commit into from
Apr 9, 2020

Conversation

NickLaMuro
Copy link
Member

There were multiple places (all in .order calls) that triggered the following warning

DEPRECATION WARNING: Dangerous query method (method whose arguments are used as
raw SQL) called with non-attribute argument(s): "lower(name)".  Non-attribute
arguments will be disallowed in Rails 6.0. This method should not be called
with user-provided values, such as request parameters or model attributes.
Known-safe values can be passed by wrapping them in Arel.sql().

This fixes that by instead calling to arel_table[].lower, which does the same thing, but uses the existing arel interface to do it, which should be safer. It should fail earlier for non-name columns, and should be safer overall then using Arel.sql().

Links

@NickLaMuro
[Rails52] Use arel to fix "Dangerous query method"
18df34d 
There were multiple places (all in `.order` calls) that triggered the
following warning

  DEPRECATION WARNING: Dangerous query method (method whose arguments
  are used as raw SQL) called with non-attribute argument(s):
  "lower(name)".  Non-attribute arguments will be disallowed in Rails
  6.0. This method should not be called with user-provided values, such
  as request parameters or model attributes. Known-safe values can be
  passed by wrapping them in Arel.sql().

This fixes that by instead calling to `arel_table[].lower`, which does
the same thing, but uses the existing arel interface to do it, which
should be safer.  It should fail earlier for non-name columns, and
should be safer overall then using `Arel.sql()`.
@miq-bot
Copy link
Member

miq-bot commented Apr 8, 2020

Checked commit NickLaMuro@18df34d with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint
11 files checked, 0 offenses detected
Everything looks fine. 👍

@mzazrivec mzazrivec self-assigned this Apr 9, 2020
@mzazrivec mzazrivec merged commit cae3f0d into ManageIQ:master Apr 9, 2020
@h-kataria h-kataria mentioned this pull request May 21, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mzazrivec mzazrivec mzazrivec approved these changes

Assignees

@mzazrivec mzazrivec

Labels
cleanup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NickLaMuro @miq-bot @mzazrivec