Sha256: 4fcb6f38995b61d57413f4f18037f68f5945a992ebd39d14fae779c0e40ed52d
Contents?: true
Size: 1.24 KB
Versions: 2
Compression:
Stored size: 1.24 KB
Contents
require 'railroader/checks/base_check'
#This check looks for regexes that include user input.
class Railroader::CheckDynamicFinders < Railroader::BaseCheck
Railroader::Checks.add self
@description = "Check unsafe usage of find_by_*"
def run_check
if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
tracker.find_call(:method => /^find_by_/).each do |result|
process_result result
end
end
end
def process_result result
return unless original? result
call = result[:call]
if potentially_dangerous? call.method
call.each_arg do |arg|
if params? arg and not safe_call? arg
warn :result => result,
:warning_type => "SQL Injection",
:warning_code => :sql_injection_dynamic_finder,
:message => "MySQL integer conversion may cause 0 to match any string",
:confidence => :medium,
:user_input => arg
break
end
end
end
end
def safe_call? arg
return false unless call? arg
meth = arg.method
meth == :to_s or meth == :to_i
end
def potentially_dangerous? method_name
method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| railroader-4.3.5 | lib/railroader/checks/check_dynamic_finders.rb |
| railroader-4.3.4 | lib/railroader/checks/check_dynamic_finders.rb |