Add count_by_sql() to SQL injection checks

presidentbeef · Mar 21, 2011 · 6b5ba72 · 6b5ba72
1 parent 3fe15ac
commit 6b5ba72
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/checks/check_sql.rb b/lib/checks/check_sql.rb
@@ -16,7 +16,7 @@ def run_check
     @rails_version = tracker.config[:rails_version]
     calls = tracker.find_model_find tracker.models.keys
 
-    calls.concat tracker.find_call([], /^(find.*|last|first|all|count|sum|average|minumum|maximum)$/)
+    calls.concat tracker.find_call([], /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/)
 
     calls.concat tracker.find_model_find(nil).select { |result| constantize_call? result }
 
@@ -31,7 +31,7 @@ def process_result exp
 
     args = process call[3]
 
-    if call[2] == :find_by_sql
+    if call[2] == :find_by_sql or call[2] == :count_by_sql
       failed = check_arguments args[1]
     elsif call[2].to_s =~ /^find/
       failed = (args.length > 2 and check_arguments args[-1])

diff --git a/lib/processors/lib/find_model_call.rb b/lib/processors/lib/find_model_call.rb
@@ -6,7 +6,7 @@ class FindModelCall < FindCall
 
   #Passes +targets+ to FindCall
   def initialize targets
-    super(targets, /^(find.*|first|last|all)$/)
+    super(targets, /^(find.*|first|last|all|count|sum|average|minumum|maximum|count_by_sql)$/)
   end 
 
   #Matches entire method chain as a target. This differs from