From 2e062bae74563550b0324e5644ec8a5f5161e9e9 Mon Sep 17 00:00:00 2001
From: Brian Neel <brian@gitlab.com>
Date: Mon, 10 Jul 2017 17:27:53 -0400
Subject: Whitelist security checks for gem 0.0.5

---
 app/helpers/issuables_helper.rb         | 2 +-
 app/models/merge_request.rb             | 2 +-
 app/models/project.rb                   | 2 +-
 app/models/user.rb                      | 4 ++--
 app/services/labels/transfer_service.rb | 2 +-
 config/application.rb                   | 2 +-
 lib/ci/charts.rb                        | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb
index b5366519ed9..9aa059c3d61 100644
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -234,7 +234,7 @@ module IssuablesHelper
   end
 
   def issuables_count_for_state(issuable_type, state, finder: nil)
-    finder ||= public_send("#{issuable_type}_finder")
+    finder ||= public_send("#{issuable_type}_finder") # rubocop:disable GitlabSecurity/PublicSend
     cache_key = finder.state_counter_cache_key(state)
 
     @counts ||= {}
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 808212c780c..cbd6f6a8d5d 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -172,7 +172,7 @@ class MergeRequest < ActiveRecord::Base
     target = unscoped.where(target_project_id: relation).select(:id)
     union  = Gitlab::SQL::Union.new([source, target])
 
-    where("merge_requests.id IN (#{union.to_sql})")
+    where("merge_requests.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
   end
 
   WIP_REGEX = /\A\s*(\[WIP\]\s*|WIP:\s*|WIP\s+)+\s*/i.freeze
diff --git a/app/models/project.rb b/app/models/project.rb
index d58846a25fe..38240963167 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -391,7 +391,7 @@ class Project < ActiveRecord::Base
 
       union = Gitlab::SQL::Union.new([projects, namespaces])
 
-      where("projects.id IN (#{union.to_sql})")
+      where("projects.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
     end
 
     def search_by_title(query)
diff --git a/app/models/user.rb b/app/models/user.rb
index f593fdc10dd..a19edef3aa5 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -514,7 +514,7 @@ class User < ActiveRecord::Base
     union = Gitlab::SQL::Union
       .new([groups.select(:id), authorized_projects.select(:namespace_id)])
 
-    Group.where("namespaces.id IN (#{union.to_sql})")
+    Group.where("namespaces.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
   end
 
   # Returns a relation of groups the user has access to, including their parent
@@ -899,7 +899,7 @@ class User < ActiveRecord::Base
   def ci_authorized_runners
     @ci_authorized_runners ||= begin
       runner_ids = Ci::RunnerProject
-        .where("ci_runner_projects.project_id IN (#{ci_projects_union.to_sql})")
+        .where("ci_runner_projects.project_id IN (#{ci_projects_union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
         .select(:runner_id)
       Ci::Runner.specific.where(id: runner_ids)
     end
diff --git a/app/services/labels/transfer_service.rb b/app/services/labels/transfer_service.rb
index d2ece354efc..775efed48eb 100644
--- a/app/services/labels/transfer_service.rb
+++ b/app/services/labels/transfer_service.rb
@@ -37,7 +37,7 @@ module Labels
 
       union = Gitlab::SQL::Union.new(label_ids)
 
-      Label.where("labels.id IN (#{union.to_sql})").reorder(nil).uniq
+      Label.where("labels.id IN (#{union.to_sql})").reorder(nil).uniq # rubocop:disable GitlabSecurity/SqlInjection
     end
 
     def group_labels_applied_to_issues
diff --git a/config/application.rb b/config/application.rb
index a9a961d7520..548031e72b0 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -171,7 +171,7 @@ module Gitlab
           next unless name.include?('namespace_project')
 
           define_method(name.sub('namespace_project', 'project')) do |project, *args|
-            send(name, project&.namespace, project, *args)
+            send(name, project&.namespace, project, *args) # rubocop:disable GitlabSecurity/PublicSend
           end
         end
       end
diff --git a/lib/ci/charts.rb b/lib/ci/charts.rb
index 872e418c788..76a69bf8a83 100644
--- a/lib/ci/charts.rb
+++ b/lib/ci/charts.rb
@@ -47,7 +47,7 @@ module Ci
 
       def collect
         query = project.pipelines
-          .where("? > #{Ci::Pipeline.table_name}.created_at AND #{Ci::Pipeline.table_name}.created_at > ?", @to, @from)
+          .where("? > #{Ci::Pipeline.table_name}.created_at AND #{Ci::Pipeline.table_name}.created_at > ?", @to, @from) # rubocop:disable GitlabSecurity/SqlInjection
 
         totals_count  = grouped_count(query)
         success_count = grouped_count(query.success)
-- 
cgit v1.2.1