Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Missing SQL injection/params vulnerability #1204
Brakeman version: 4.3.0
It looks like Brakeman doesn't catch SQL injection vulnerabilities when arguments are splatted into ORM methods. Compare:
# Using Sequel, though don't think it matters. def brakeman_catches_this render json: Person.where(params[:foo]).qualify.all end def brakeman_does_not_catch_this render json: Person.where(*params[:foo]).qualify.all end def brakeman_does_not_catch_this_either render json: Person.where(**params[:foo]).qualify.all end
Does that make sense?
I suspect this issue might be relevant to many checks, not just the SQL injection one. Or am I missing something?