check_sql.rb in brakeman-min-4.1.0

- old
+ new

@@ -36,11 +36,11 @@
       @connection_calls.concat [:exec_delete, :exec_insert, :exec_query, :exec_update]
     else
       @connection_calls.concat [:add_limit!, :add_offset_limit!, :add_lock!]
     end
 
-    @expected_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base"]
+    @expected_targets = active_record_models.keys + [:connection, :"ActiveRecord::Base", :Arel]
 
     Brakeman.debug "Finding possible SQL calls on models"
     calls = tracker.find_call(:methods => @sql_targets, :nested => true)
 
     calls.concat tracker.find_call(:targets => active_record_models.keys, :methods => narrow_targets, :chained => true)
@@ -51,10 +51,12 @@
     Brakeman.debug "Finding possible SQL calls using constantized()"
     calls.concat tracker.find_call(:methods => @sql_targets).select { |result| constantize_call? result }
 
     calls.concat tracker.find_call(:targets => @expected_targets, :methods => @connection_calls, :chained => true).select { |result| connect_call? result }
 
+    calls.concat tracker.find_call(:target => :Arel, :method => :sql)
+
     Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
 
     Brakeman.debug "Processing possible SQL calls"
     calls.each { |call| process_result call }
@@ -191,9 +193,11 @@
                       when :from
                         unsafe_sql? call.first_arg
                       when :lock
                         check_lock_arguments call.first_arg
                       when :pluck
+                        unsafe_sql? call.first_arg
+                      when :sql
                         unsafe_sql? call.first_arg
                       when :update_all, :select
                         check_update_all_arguments call.args
                       when *@connection_calls
                         check_by_sql_arguments call.first_arg