-
Notifications
You must be signed in to change notification settings - Fork 724
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore injection warnings from strings in constant array? #1208
Comments
Related to this, it seems we can't even use the whitelisting approach within brakeman. This still produces a warning: EXPRESSIONS = ["users.email", "concat_ws(' ', users.first_name, users.last_name)"]
def scopes(base_scope)
EXPRESSIONS.map do |exp|
raise "Error" unless EXPRESSIONS.include?(exp) # Should prevent warning?
base_scope.where("#{exp} ILIKE '%foo%'")
end
end |
Iteration over a collection of literal values is possible but I have a vague feeling there may have been unintended consequences when trying to do so in the past. I can take another look. To explain a little bit: what Brakeman does in these cases is replace In the case of your second example there appears to be an odd interaction with the block argument. |
Thanks for the explanation and for digging in! I also noticed that, curiously, the warning goes away in my last example if we change the def scopes(base_scope)
EXPRESSIONS.map do |exp|
if EXPRESSIONS.include?(exp)
base_scope.where("#{exp} ILIKE '%foo%'")
end
end
end |
I suspect the issue is scoping. It's easy with an |
Thanks for the fix! I'm still able to trigger a false positive in 4.3.1 with this code though: def safe(foo = false)
quids = foo ? %w(three four) : %w(five six)
quids.each do |t|
`echo #{t}`
end
end In fact, it also happens if quids = if foo
%w(three four)
else
%w(five six)
end
# or...
if foo
quids = %w(three four)
else
quids = %w(five six)
end |
Background
Brakeman version: 4.3.0
Rails version: 5.1.6
Ruby version: 2.5.1
False Positive
We've noticed that Brakeman assumes that constants in constant arrays are user-supplied inputs for things like SQL/shell injection warnings. For example:
I'd assumed this would be too tricky for Brakeman to catch, but now I'm actually wondering how bad it would be to have brakeman understand some simple iterations on constant arrays like these. But obviously I must defer to you.
Thoughts?
The text was updated successfully, but these errors were encountered: