method
enforce_raw_sql_whitelist
v5.2.3 -
Show latest stable
-
0 notes -
Class: ActiveRecord::AttributeMethods::ClassMethods
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8
- 3.0.0
- 3.0.9
- 3.1.0
- 3.2.1
- 3.2.8
- 3.2.13
- 4.0.2
- 4.1.8
- 4.2.1
- 4.2.7
- 4.2.9
- 5.0.0.1
- 5.1.7
- 5.2.3 (0)
- 6.0.0
- 6.1.3.1
- 6.1.7.7
- 7.0.0
- 7.1.3.2
- What's this?
enforce_raw_sql_whitelist(args, whitelist: COLUMN_NAME_WHITELIST)
public
Hide source
# File activerecord/lib/active_record/attribute_methods.rb, line 193 def enforce_raw_sql_whitelist(args, whitelist: COLUMN_NAME_WHITELIST) # :nodoc: unexpected = args.reject do |arg| arg.kind_of?(Arel::Node) || arg.is_a?(Arel::Nodes::SqlLiteral) || arg.is_a?(Arel::Attributes::Attribute) || arg.to_s.split(/\s*,\s*/).all? { |part| whitelist.match?(part) } end return if unexpected.none? if allow_unsafe_raw_sql == :deprecated ActiveSupport::Deprecation.warn( "Dangerous query method (method whose arguments are used as raw " "SQL) called with non-attribute argument(s): " "#{unexpected.map(&:inspect).join(", ")}. Non-attribute " "arguments will be disallowed in Rails 6.0. This method should " "not be called with user-provided values, such as request " "parameters or model attributes. Known-safe values can be passed " "by wrapping them in Arel.sql()." ) else raise(ActiveRecord::UnknownAttributeReference, "Query method called with non-attribute argument(s): " + unexpected.map(&:inspect).join(", ") ) end end