Displaying 1 result from an estimated 1 matches for "strict_arel".
2011 Nov 22
4
A "strict Arel" mode for ActiveRecord to prevent SQL injection vulnerabilities
...open to accepting a patch for the above to Arel and
ActiveRecord?
Experiments:
-----------------
As an experiment, I tried the following monkey patch (which obviously is
missing the registration mechanism; and the whitelisting of
Arel/ActiveRecord-internal SQL literals):
$ cat vendor/plugins/strict_arel/lib/strict_arel.rb
# StrictArel
require ''arel''
module Arel
WHITELISTED_RAW_SQL = ["\0", ''?'', ''*''] by
module Nodes
class SqlLiteral
alias_method :sqlLiteralInitialize_Do_Not_Call_This_Or_Else, :initialize
def initialize(raw...