Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Check for SQLi in ActiveRecord::Relation#update_all

  • Loading branch information...
commit 7148a16f29c333542ff334e72b6394c4e9f633ce 1 parent 33cd485
@presidentbeef authored
Showing with 12 additions and 1 deletion.
  1. +12 −1 lib/brakeman/checks/check_sql.rb
View
13 lib/brakeman/checks/check_sql.rb
@@ -17,7 +17,7 @@ def run_check
@rails_version = tracker.config[:rails_version]
@sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?,
- :find, :find_by_sql, :first, :last, :maximum, :minimum, :sum]
+ :find, :find_by_sql, :first, :last, :maximum, :minimum, :sum, :update_all]
if tracker.options[:rails3]
@sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
@@ -229,6 +229,8 @@ def process_result result
unsafe_sql? call.first_arg
when :lock
check_lock_arguments call.first_arg
+ when :update_all
+ check_update_all_arguments call.args
else
Brakeman.debug "Unhandled SQL method: #{method}"
end
@@ -372,6 +374,15 @@ def check_joins_arguments arg
end
end
+ def check_update_all_arguments args
+ args.each do |arg|
+ res = unsafe_sql? arg
+ return res if res
+ end
+
+ nil
+ end
+
#Model#lock essentially only cares about strings. But those strings can be
#any SQL fragment. This does not apply to all databases. (For those who do not
#support it, the lock method does nothing).
Please sign in to comment.
Something went wrong with that request. Please try again.