You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using String#strip_heredoc (e.g. <<-.strip_heredoc), possible SQL injection isn't detected. This method is provided by the Rails library rather than the standard library.
Otherwise, the standard heredoc (<<-) and squiggly heredoc (<<~) work as expected.
I've created a dummy Rails project and run brakeman with the debug flag (see output below). You'll see that only two possible SQL injections were detected, rather than three.
Background
Brakeman version: 4.7.1
Rails version: 5.2.3
Ruby version: 2.5.3
Link to Rails application code: https://github.com/cbortz/brakeman-bug/blob/master/app/models/character.rb
Issue
When using
String#strip_heredoc
(e.g.<<-.strip_heredoc
), possible SQL injection isn't detected. This method is provided by the Rails library rather than the standard library.Otherwise, the standard heredoc (
<<-
) and squiggly heredoc (<<~
) work as expected.I've created a dummy Rails project and run brakeman with the debug flag (see output below). You'll see that only two possible SQL injections were detected, rather than three.
Stack trace:
The text was updated successfully, but these errors were encountered: