Discovered about 1 year ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/ci/processable.rb:41

where(:scheduling_type => nil).update_all("scheduling_type = CASE WHEN (EXISTS (#{Ci::BuildNeed.scoped_build.select(1).to_sql}))\n         THEN #{scheduling_types[:dag]}\n         ELSE #{scheduling_types[:stage]}\n         END")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/ci/processable.rb or mark it as false positive.