Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium


Possible SQL injection



Topic.where(:id => Post.with_deleted.where(:id => post_id).pluck(:topic_id).first).update_all(["#{"#{post_action_type_key}_count"} = ?", Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck(:topic_id).first).sum("#{post_action_type_key}_count")])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.