New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive SQL injection for quoted_primary_key, quoted_table_name #884
Comments
Hi Mike, You are right, at the moment Brakeman ignores |
def self.self_and_descendants_for(id)
where(<<-SQL, id: id)
#{quoted_table_name}.#{quoted_primary_key} IN (
WITH RECURSIVE descendant_tree(#{quoted_primary_key}, path) AS (
SELECT #{quoted_primary_key}, ARRAY[#{quoted_primary_key}]
FROM #{quoted_table_name}
WHERE #{quoted_primary_key} = :id
UNION ALL
SELECT #{quoted_table_name}.#{quoted_primary_key}, descendant_tree.path || #{quoted_table_name}.#{quoted_primary_key}
FROM descendant_tree
JOIN #{quoted_table_name} ON #{quoted_table_name}.parent_id = descendant_tree.#{quoted_primary_key}
WHERE NOT #{quoted_table_name}.#{quoted_primary_key} = ANY(descendant_tree.path)
)
SELECT #{quoted_primary_key}
FROM descendant_tree
ORDER BY path
)
SQL
end |
presidentbeef
added a commit
that referenced
this issue
May 30, 2016
presidentbeef
added a commit
that referenced
this issue
May 30, 2016
👍 |
Repository owner
locked and limited conversation to collaborators
Oct 9, 2016
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I have some code that is dynamically constructing SQL using
quoted_primary_key
andquoted_table_name
fromActiveRecord::ModelSchema::ClassMethods
. Brakeman is reporting these as a possible SQL injection, which is not the case with the default implementation of these methods. I suppose someone could override them for their class and introduce an SQL injection vector, but this seems like a false positive to me.The text was updated successfully, but these errors were encountered: