We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:158

where("topics.category_id IS NULL OR topics.category_id IN (SELECT id FROM categories WHERE #{(["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[0]})", (["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[1])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.