Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group.rb:198

NotificationSetting.where(:source_type => self.class.base_class.name, :source_id => self_and_ancestors_ids).joins("LEFT JOIN (#{self_and_ancestors(:hierarchy_order => hierarchy_order).to_sql}) AS ordered_groups ON notification_settings.source_id = ordered_groups.id").select("notification_settings.*, ordered_groups.depth AS depth").order("ordered_groups.depth #{hierarchy_order}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group.rb or mark it as false positive.