Fix Brakeman SQL injection warnings by removing string interpolation in Arel.sql

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: maebeale

app/controllers/admin/ahoy_activities_controller.rb

@@ -176,8 +176,9 @@ def apply_event_sort(scope, column, direction)
       when "name"
         scope.reorder(name: dir)
       when "user"
-        scope.left_joins(:user)
-             .reorder(Arel.sql("users.first_name #{direction}, users.last_name #{direction}"))
+        user_sort = { "asc" => "users.first_name ASC, users.last_name ASC",
+                      "desc" => "users.first_name DESC, users.last_name DESC" }
+        scope.left_joins(:user).reorder(Arel.sql(user_sort[direction]))
       else
         scope.reorder(time: :desc)
       end
@@ -205,12 +206,13 @@ def apply_visit_sort(scope, column, direction)
       when "started_at"
         scope.reorder(started_at: dir)
       when "user"
-        scope.left_joins(:user)
-             .reorder(Arel.sql("users.first_name #{direction}, users.last_name #{direction}"))
+        user_sort = { "asc" => "users.first_name ASC, users.last_name ASC",
+                      "desc" => "users.first_name DESC, users.last_name DESC" }
+        scope.left_joins(:user).reorder(Arel.sql(user_sort[direction]))
       when "events_count"
-        scope.reorder(Arel.sql("events_count #{direction}"))
+        scope.reorder(Arel.sql(dir == :asc ? "events_count ASC" : "events_count DESC"))
       when "duration"
-        scope.reorder(Arel.sql("duration_minutes #{direction}"))
+        scope.reorder(Arel.sql(dir == :asc ? "duration_minutes ASC" : "duration_minutes DESC"))
       else
         scope.reorder(started_at: :desc)
       end

config/brakeman.ignore

@@ -23,29 +23,6 @@
       ],
       "note": ""
     },
-    {
-      "warning_type": "Remote Code Execution",
-      "warning_code": 24,
-      "fingerprint": "59ffdfd50cdef491cfd47d69eaa3edc1d3a291661c75c5f1b10c7afa173581af",
-      "check_name": "UnsafeReflection",
-      "message": "Unsafe reflection method `constantize` called on parameter value",
-      "file": "app/controllers/api/v1/resources_controller.rb",
-      "line": 3,
-      "link": "https://brakemanscanner.org/docs/warning_types/remote_code_execution/",
-      "code": "params[:type].constantize",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Api::V1::ResourcesController",
-        "method": "index"
-      },
-      "user_input": "params[:type]",
-      "confidence": "High",
-      "cwe_id": [
-        470
-      ],
-      "note": ""
-    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 70,