False positive - Ruby on Rails: SQL query built from user-controlled sources

[kostyanf14]

Description of the false positive

Rails execute sanitize_sql_for_assignment when update_all called with an array as the argument:
https://github.com/rails/rails/blob/v7.0.8/activerecord/lib/active_record/relation.rb#L476

Code samples or links to source code

https://github.com/amnis-invictus/ikt.edu.vn.ua/blob/e404674b8efd9c4ed668866787a8a2ef1b91514f/app/channels/api_channel.rb#L82
https://github.com/amnis-invictus/ikt.edu.vn.ua/blob/e404674b8efd9c4ed668866787a8a2ef1b91514f/app/channels/api_channel.rb#L85

URL to the alert on GitHub code scanning (optional)

https://github.com/amnis-invictus/ikt.edu.vn.ua/security/code-scanning/307
https://github.com/amnis-invictus/ikt.edu.vn.ua/security/code-scanning/308

[jketema]

Hi @kostyanf14,

Thanks for your report. I've asked the Ruby engineering team to take a look.

[jketema]

Hi @kostyanf14,

The engineering team agrees this is false positive, and they've opened an internal issue to track this. Thanks for the report!