Search code examples
sqlruby-on-railssql-injectionarel

How to sanitize Arel SQL?


I have the following Arel SQL:

Arel.sql("(users.last_donated_at IS NOT NULL AND users.last_donated_at < '#{User::ACTIVE_DONOR_WITHIN_DAYS.days.ago}')")

I get SQL Injection warning when I run brakeman. I tried the following:

Arel.sql("(users.last_donated_at IS NOT NULL AND users.last_donated_at < ?)", User::ACTIVE_DONOR_WITHIN_DAYS.days.ago)

However, I get the following error:

ArgumentError:
       wrong number of arguments (given 2, expected 1)

How do I sanitize sql statement with Arel?


Solution

  • I am answering my own question. I am using Arel following the Github wiki for Ransack gem. I was doing something very similar to point # 2.2 mentioned on doc: https://github.com/activerecord-hackery/ransack/wiki/Using-Ransackers. In order to sanitize the params and avoid brakeman sql injection warning, I ended up doing the following:

    Arel.sql(sanitize_sql_array("(users.last_donated_at IS NOT NULL AND users.last_donated_at < '#{User::ACTIVE_DONOR_WITHIN_DAYS.days.ago}')"))