consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mark safe SQL with Arel.sql

Browse Source 
Rails 5.2 is raising a warning in some places:

DEPRECATION WARNING: Dangerous query method (method whose arguments are
used as raw SQL) called with non-attribute argument(s). Non-attribute
arguments will be disallowed in Rails 6.0. This method should not be
called with user-provided values, such as request parameters or model
attributes. Known-safe values can be passed by wrapping them in
Arel.sql().

IMHO this warning is simply wrong, since we're using known PostgreSQL
functions like LOWER() or RANDOM(). AFAIK this code works without warnings
in Rails 6.0 [1][2]

However, since the warning is annoying, we need to take measures so our
logs are clean.

[1] https://github.com/rails/rails/commit/6c82b6c99d
[2] https://github.com/rails/rails/commit/64d8c54e16
This commit is contained in:
Javi Martín
2020-05-17 21:10:09 +02:00
parent 2d9f679105
commit 16c16e3cdf
5 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/admin/geozones_controller.rb
View File

@@ -4,7 +4,7 @@ class Admin::GeozonesController < Admin::BaseController
load_and_authorize_resource load_and_authorize_resource
def index def index
@geozones = Geozone.all.order("LOWER(name)") @geozones = Geozone.all.order(Arel.sql("LOWER(name)"))
end end
def new def new

2
app/controllers/legislation/annotations_controller.rb
View File

@@ -61,7 +61,7 @@ class Legislation::AnnotationsController < Legislation::BaseController
end end
def search def search
@annotations = @draft_version.annotations.order("LENGTH(quote) DESC") @annotations = @draft_version.annotations.order(Arel.sql("LENGTH(quote) DESC"))
annotations_hash = { total: @annotations.size, rows: @annotations } annotations_hash = { total: @annotations.size, rows: @annotations }
render json: annotations_hash.to_json(methods: :weight) render json: annotations_hash.to_json(methods: :weight)
end end

4
app/models/application_record.rb
View File

@@ -3,9 +3,9 @@ class ApplicationRecord < ActiveRecord::Base
def self.sample(count = 1) def self.sample(count = 1)
if count == 1 if count == 1
reorder("RANDOM()").first reorder(Arel.sql("RANDOM()")).first
else else
reorder("RANDOM()").limit(count) reorder(Arel.sql("RANDOM()")).limit(count)
end end
end end
end end

2
app/models/comment.rb
View File

@@ -49,7 +49,7 @@ class Comment < ApplicationRecord
scope :sort_by_most_voted, -> { order(confidence_score: :desc, created_at: :desc) } scope :sort_by_most_voted, -> { order(confidence_score: :desc, created_at: :desc) }
scope :sort_descendants_by_most_voted, -> { order(confidence_score: :desc, created_at: :asc) } scope :sort_descendants_by_most_voted, -> { order(confidence_score: :desc, created_at: :asc) }
scope :sort_by_supports, -> { order("cached_votes_up - cached_votes_down DESC") } scope :sort_by_supports, -> { order(Arel.sql("cached_votes_up - cached_votes_down DESC")) }
scope :sort_by_newest, -> { order(created_at: :desc) } scope :sort_by_newest, -> { order(created_at: :desc) }
scope :sort_descendants_by_newest, -> { order(created_at: :desc) } scope :sort_descendants_by_newest, -> { order(created_at: :desc) }

2
app/models/poll/question.rb
View File

@@ -28,7 +28,7 @@ class Poll::Question < ApplicationRecord
scope :by_poll_id, ->(poll_id) { where(poll_id: poll_id) } scope :by_poll_id, ->(poll_id) { where(poll_id: poll_id) }
scope :sort_for_list, -> { order("poll_questions.proposal_id IS NULL", :created_at) } scope :sort_for_list, -> { order(Arel.sql("poll_questions.proposal_id IS NULL"), :created_at) }
scope :for_render, -> { includes(:author, :proposal) } scope :for_render, -> { includes(:author, :proposal) }
def self.search(params) def self.search(params)