Discovered 9 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/project.rb:639

with_project_feature.where("#{ProjectFeature.quoted_access_level_column(feature)} IS NULL OR #{ProjectFeature.quoted_access_level_column(feature)} IN (:public_visible) OR (#{ProjectFeature.quoted_access_level_column(feature)} = :private_visible AND EXISTS (:authorizations))", :public_visible => ([20, 30]), :private_visible => 10, :authorizations => user.authorizations_for_projects(:min_access_level => ProjectFeature.required_minimum_access_level(feature)))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/project.rb or mark it as false positive.