ActiveRecord::UnknownAttributeReference - Dangerous query method

[activklaus]

Trying to run something simple like

post.tagged_with('awesome')

and keep getting

ActiveRecord::UnknownAttributeReference (Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "SELECT COUNT(taggings.*) AS taggings_count FROM taggings ORDER BY taggings_count DESC".This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql().)

When I run

post.tagged_with('awesome', any: true)

everything works fine.

Running Rails 7 on Ruby 3, acts-as-taggable-on 9.0.1

[activklaus]

Sorry, I wasn't precise enough. The query looked like this:

post.tagged_with('awesome', any: false, order_by_matching_tag_count: true)

After removing order_by_matching_tag_count: true the exception disappeared.

Although this makes sense in a logical way (when you look for items that are all tagged with the exact same tags you cannot order them by tag count) I think it is still in an issue because in a technical way the query should be perfectly valid. Yet, the gem builds a query that violates the Rails logic of safe queries by creating a query string that contains stringified potentially insuecure ("user-provided") values.