Discovered about 1 year ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium


Possible SQL injection



NotificationSetting.where(:source_type =>, :source_id => self_and_ancestors_ids).joins("LEFT JOIN (#{self_and_ancestors(:hierarchy_order => hierarchy_order).to_sql}) AS ordered_groups ON notification_settings.source_id =").select("notification_settings.*, ordered_groups.depth AS depth").order("ordered_groups.depth #{hierarchy_order}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group.rb or mark it as false positive.