From 6137c426522f2ce565bc2ccafd246f54089afd45 Mon Sep 17 00:00:00 2001
From: orbisai0security <orbisai0security@users.noreply.github.com>
Date: Thu, 1 Jan 2026 05:43:33 +0000
Subject: [PATCH] fix: resolve critical vulnerability V-001

Automatically generated security fix
---
 script/migrations/reset_boards_ids.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/script/migrations/reset_boards_ids.rb b/script/migrations/reset_boards_ids.rb
index a0621a19cb..8bb7168dcc 100644
--- a/script/migrations/reset_boards_ids.rb
+++ b/script/migrations/reset_boards_ids.rb
@@ -40,7 +40,7 @@
     ApplicationRecord.connection.execute("SELECT board_id FROM boards_filters").each do |row|
       old_id = row[0]
       if id_mapping[old_id]
-        ApplicationRecord.connection.execute("UPDATE boards_filters SET board_id = #{id_mapping[old_id]} WHERE board_id = #{old_id}")
+        ApplicationRecord.connection.execute("UPDATE boards_filters SET board_id = ? WHERE board_id = ?", [id_mapping[old_id], old_id])
       end
     end
 
@@ -91,13 +91,13 @@
     boards.each do |board|
       new_id = id_mapping[board.id]
       # Use direct SQL to update the ID to avoid ActiveRecord validations
-      ApplicationRecord.connection.execute("UPDATE boards SET id = #{new_id} WHERE id = #{board.id}")
+      ApplicationRecord.connection.execute("UPDATE boards SET id = ? WHERE id = ?", [new_id, board.id])
     end
 
     # Reset the SQLite sequence for the boards table
     ApplicationRecord.connection.execute("DELETE FROM sqlite_sequence WHERE name = 'boards'")
     max_id = Board.maximum(:id) || 0
-    ApplicationRecord.connection.execute("INSERT INTO sqlite_sequence (name, seq) VALUES ('boards', #{max_id})")
+    ApplicationRecord.connection.execute("INSERT INTO sqlite_sequence (name, seq) VALUES ('boards', ?)", [max_id])
 
     puts "Board IDs have been reset successfully!"
   rescue => e