False positive SQL injection for quoted_primary_key, quoted_table_name #884
Comments
|
Hi Mike, You are right, at the moment Brakeman ignores |
def self.self_and_descendants_for(id)
where(<<-SQL, id: id)
#{quoted_table_name}.#{quoted_primary_key} IN (
WITH RECURSIVE descendant_tree(#{quoted_primary_key}, path) AS (
SELECT #{quoted_primary_key}, ARRAY[#{quoted_primary_key}]
FROM #{quoted_table_name}
WHERE #{quoted_primary_key} = :id
UNION ALL
SELECT #{quoted_table_name}.#{quoted_primary_key}, descendant_tree.path || #{quoted_table_name}.#{quoted_primary_key}
FROM descendant_tree
JOIN #{quoted_table_name} ON #{quoted_table_name}.parent_id = descendant_tree.#{quoted_primary_key}
WHERE NOT #{quoted_table_name}.#{quoted_primary_key} = ANY(descendant_tree.path)
)
SELECT #{quoted_primary_key}
FROM descendant_tree
ORDER BY path
)
SQL
end |
presidentbeef
added a commit
that referenced
this issue
May 30, 2016
presidentbeef
added a commit
that referenced
this issue
May 30, 2016
|
👍 |
Repository owner
locked and limited conversation to collaborators
Oct 9, 2016
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I have some code that is dynamically constructing SQL using
quoted_primary_keyandquoted_table_namefromActiveRecord::ModelSchema::ClassMethods. Brakeman is reporting these as a possible SQL injection, which is not the case with the default implementation of these methods. I suppose someone could override them for their class and introduce an SQL injection vector, but this seems like a false positive to me.The text was updated successfully, but these errors were encountered: