class RuboCop::Cop::Highlands::RiskyActiverecordInvocation

Disallow ActiveRecord calls that pass interpolated or added strings as an argument.

Constants

MSG
VULNERABLE_AR_METHODS

Public Instance Methods

includes_interpolation?(args) click to toggle source

Return true if the first arg is a :dstr that has non-:str components

# File lib/rubocop/cop/highlands/risky_activerecord_invocation.rb, line 49
def includes_interpolation?(args)
  !args.first.nil? &&
    args.first.type == :dstr &&
    args.first.each_child_node.any? { |child| child.type != :str }
end
includes_sum?(args) click to toggle source
# File lib/rubocop/cop/highlands/risky_activerecord_invocation.rb, line 55
def includes_sum?(args)
  !args.first.nil? &&
    args.first.type == :send &&
    args.first.method_name == :+
end
on_send(node) click to toggle source
# File lib/rubocop/cop/highlands/risky_activerecord_invocation.rb, line 32
def on_send(node)
  receiver, method_name, *_args = *node

  return if receiver.nil?
  return unless vulnerable_ar_method?(method_name)
  if !includes_interpolation?(_args) && !includes_sum?(_args)
    return
  end

  add_offense(node)
end
vulnerable_ar_method?(method) click to toggle source
# File lib/rubocop/cop/highlands/risky_activerecord_invocation.rb, line 44
def vulnerable_ar_method?(method)
  VULNERABLE_AR_METHODS.include?(method)
end