2017/10/GHSA-pr3r-4wrp-r2pv ActiveRecord in Ruby on Rails allows database-query bypass