Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing SQL injection/params vulnerability #1204

Closed
JacobEvelyn opened this Issue May 11, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@JacobEvelyn
Copy link
Contributor

JacobEvelyn commented May 11, 2018

Background

Brakeman version: 4.3.0
Rails version: 5.1.6
Ruby version: 2.5.1

Issue

It looks like Brakeman doesn't catch SQL injection vulnerabilities when arguments are splatted into ORM methods. Compare:

# Using Sequel, though don't think it matters.

def brakeman_catches_this
  render json: Person.where(params[:foo]).qualify.all
end

def brakeman_does_not_catch_this
  render json: Person.where(*params[:foo]).qualify.all
end

def brakeman_does_not_catch_this_either
  render json: Person.where(**params[:foo]).qualify.all
end

Does that make sense?

I suspect this issue might be relevant to many checks, not just the SQL injection one. Or am I missing something?

@presidentbeef

This comment has been minimized.

Copy link
Owner

presidentbeef commented Jan 6, 2019

Might be hard to avoid false positives, but I think the simplest way to handle this is to ignore the splat and treat the argument as as regular argument.

presidentbeef added a commit that referenced this issue Jan 12, 2019

presidentbeef added a commit that referenced this issue Jan 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.