Skip to content

Fix 'DEPRECATION WARNING: Dangerous query method' for order_votes

Allison Browne requested to merge ab-fix-deprecation-warning into master

What does this MR do?

Overview

This fixes a deprecation warning that would appear when running ./spec/controllers/projects/issues_controller_spec.rb:

DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "COUNT(award_emoji.id) DESC". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). (called from order_votes at /Users/allisonbrowne/gitlab/gdk2/gitlab/app/models/concerns/awardable.rb:70)

Implementation

This passes an Arel::Nodes::SqlLiteral object rather than a string which removes the deprecation warning.

It is safe to wrap this with the Arel.sql method since there are no user provided inputs in the reorder clause.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Allison Browne

Merge request reports

Loading