New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.exists? SQL Injection fixed by .to_i but not .to_s #1045

Closed
oehlschl opened this Issue May 10, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@oehlschl

oehlschl commented May 10, 2017

https://rails-sqli.org/rails4#exists states that "[converting] user input to a string or integer if using it as the primary key in .exists?" is an injection-safe solution to the following pattern:

# bad
User.exists? params[:id] 

Brakeman expects either hash conditions or integer conversion to escape this:

# good
User.exists? params[:id].to_i

Although converting to an integer is the right answer for most cases, .to_s is required in other equally valid cases, for example if .find has been overridden by a slugging gem or if the primary key is a string. Currently, however, Brakeman still fails with the .to_s version but should pass in that case as well.

# should also be good
User.exists? params[:id].to_s

UPDATE:
rails 4.2.8
brakeman 3.6.1

presidentbeef added a commit that referenced this issue May 15, 2017

@presidentbeef

This comment has been minimized.

Show comment
Hide comment
@presidentbeef

presidentbeef May 15, 2017

Owner

Haha, using my own words against me 😅

Owner

presidentbeef commented May 15, 2017

Haha, using my own words against me 😅

presidentbeef added a commit that referenced this issue May 15, 2017

@oehlschl

This comment has been minimized.

Show comment
Hide comment
@oehlschl

oehlschl May 16, 2017

Haha, I had no idea. Thanks for the quick fix! 👍

oehlschl commented May 16, 2017

Haha, I had no idea. Thanks for the quick fix! 👍

Repository owner locked and limited conversation to collaborators Jul 1, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.