[ndm]

While there are many ways to catch this sort of thing (code review, static analysis, education) I have to place the "blame" here on ActiveRecord. The 'order' API takes an arbitrary string by default. 99.999% of the time, this value can be restricted to a column name or can safely be escaped. For the 0.0001% of the time that something more complex (e.g. Sorting by a calculation like sum(column)) should require a separate, more cautious or complex API call. The common assumption is that all ActiveRecord APIs are "safe" and that simply isn't the case. Brakeman couldn't catch this since it's in Sinatra code and not rails code. Code review didn't catch this because the API was assumed safe by reviewers. Education didn't catch this because not everyone has seen rails-sqli.org. Mind boggling, but still very possible.