Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing SQL injection/params vulnerability #1204

JacobEvelyn opened this Issue May 11, 2018 · 1 comment


None yet
2 participants
Copy link

JacobEvelyn commented May 11, 2018


Brakeman version: 4.3.0
Rails version: 5.1.6
Ruby version: 2.5.1


It looks like Brakeman doesn't catch SQL injection vulnerabilities when arguments are splatted into ORM methods. Compare:

# Using Sequel, though don't think it matters.

def brakeman_catches_this
  render json: Person.where(params[:foo]).qualify.all

def brakeman_does_not_catch_this
  render json: Person.where(*params[:foo]).qualify.all

def brakeman_does_not_catch_this_either
  render json: Person.where(**params[:foo]).qualify.all

Does that make sense?

I suspect this issue might be relevant to many checks, not just the SQL injection one. Or am I missing something?


This comment has been minimized.

Copy link

presidentbeef commented Jan 6, 2019

Might be hard to avoid false positives, but I think the simplest way to handle this is to ignore the splat and treat the argument as as regular argument.

presidentbeef added a commit that referenced this issue Jan 12, 2019

presidentbeef added a commit that referenced this issue Jan 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.