We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium


Possible SQL injection



self.includes(:acting_user, :target_user).where(:group_id => group.id).order("group_histories.created_at DESC").where(:action => self.actions[params.slice(*filters)[:action].to_sym]).where(:subject => params.slice(*filters)[:subject]).where("#{filter}_id" => User.where(:username_lower => params.slice(*filters)[filter]).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group_history.rb or mark it as false positive.