Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:450

Topic.visible.secured(Guardian.new(user)).listable_topics.joins("JOIN topic_search_data s ON topics.id = s.topic_id").where("search_data @@ #{Search.ts_query(Search.prepare_data(((title + " ") + raw[(0...200)])), nil, "|")}").order("ts_rank(search_data, #{Search.ts_query(Search.prepare_data(((title + " ") + raw[(0...200)])), nil, "|")}) DESC")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.