Created
October 3, 2013 04:49
-
-
Save claudiob/6805144 to your computer and use it in GitHub Desktop.
The ActiveRecord `order` is subject to SQL injection (http://rails-sqli.org/#order) and, for instance, applies LIMIT to the query.
Maybe we can improve this?
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| unless File.exists?('Gemfile') | |
| File.write('Gemfile', <<-GEMFILE) | |
| source 'https://rubygems.org' | |
| gem 'rails', github: 'rails/rails' | |
| gem 'sqlite3' | |
| GEMFILE | |
| system 'bundle' | |
| end | |
| require 'bundler' | |
| Bundler.setup(:default) | |
| require 'active_record' | |
| require 'minitest/autorun' | |
| require 'logger' | |
| # This connection will do for database-independent bug reports. | |
| ActiveRecord::Base.establish_connection(adapter: 'sqlite3', database: ':memory:') | |
| ActiveRecord::Base.logger = Logger.new(STDOUT) | |
| ActiveRecord::Schema.define do | |
| create_table :posts do |t| | |
| end | |
| create_table :comments do |t| | |
| t.integer :post_id | |
| end | |
| end | |
| class Post < ActiveRecord::Base | |
| has_many :comments | |
| end | |
| class Comment < ActiveRecord::Base | |
| belongs_to :post | |
| end | |
| class BugTest < Minitest::Test | |
| def test_order_is_affected_by_limit_in_the_argument | |
| 2.times { Post.create! } | |
| assert_equal Post.order("id"), Post.order("id LIMIT 1") | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Gist created using the ActiveRecord template