Another SQL False positive #655

Closed
phene opened this Issue May 13, 2015 · 4 comments

Projects

None yet

2 participants

@phene
Contributor
phene commented May 13, 2015

String literals with no interpolation should not be treated as SQL injection.

Error

High Confidence
Possible SQL injection near line 48: joins(:things).joins("LEFT JOIN thing_memberships ON items.thing_id = thing_memberships.thing_id").where(:tenant_id => user.tenant_id).where(Thing.member_or_visibility(user, [Thing::VISIBILITY_PUBLIC, Thing::VISIBILITY_COMPANY]))

Code

class Thing
  scope :viewable_by, ->(user) {
    member_join = 'LEFT JOIN thing_memberships ON items.thing_id = thing_memberships.thing_id'
    viewable_thing = Thing.member_or_visibility(user, [Thing::VISIBILITY_PUBLIC, Thing::VISIBILITY_COMPANY])
    joins(:things).joins(member_join).where(:tenant_id => user.tenant_id).where(viewable_thing).distinct
  }
end
@presidentbeef
Owner

The warning is on Thing.member_or_visibility, not the string literal.

@phene
Contributor
phene commented May 13, 2015

Why does it assume member_or_visiblity returns something unsafe or put the error inside that method definition?

@presidentbeef
Owner

Because anything potentially coming from the database is considered unsafe. In this case Thing must be an ActiveRecord model. It doesn't know anything about member_or_visiblity.

However, I do agree this should probably be bumped down to a weak confidence warning.

@presidentbeef
Owner

This is fixed by #985

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment