Potential SQL Injection in Rails 3.0.x

I remember talking to Aaron about this when I was working on the SQL Server visitor for ActiveRecord v3.0.3 and ARel 2. Basically some patches to 2.1 to cast all limits to integers were not transposed to ARel quite yet. Basically because it would be perfectly reasonable to pass a SQL literal. For instance.

Model.all :limit => Arel.sql("SELECT COUNT(*) ...")

So I have a few questions. First it looks like from the ActiveRecord interface to ARel that this no longer works. It also looks like the patches ignore offset too, which also can have valid expressions. Is there an interest in picking this back up and submitting a patch? I current have a test in the SQL Server adapter that fails now since I was counting on this feature being there. Also, should I have submitted a security bug? I admit I have never done that before and realize I should have. Where is the place to do that in the future?

- Ken