Sha256: 6cb8639724778a8cca1c7cf5d5e4fc854d21c9b0b1e8e2753f0f91fa57761033
Contents?: true
Size: 1.68 KB
Versions: 4
Compression:
Stored size: 1.68 KB
Contents
# frozen_string_literal: true
# This concern is used to check SQL injection
module SqlSecurity
extend ActiveSupport::Concern
Rails.application.eager_load!
DESCENDANTS_UNDERSCORED = ActiveRecord::Base.descendants.map do |descendant|
descendant.to_s.underscore
end.freeze
GROUP_CALCULATE = %w[
average
calculate
count
ids
maximum
minimum
pluck
sum
].freeze
# Check if request is a sql injection
def sql_injection(klass)
apicasso_parameters.each do |key, value|
if key.to_sym == :group
return false unless group_sql_safe?(klass, value)
else
return false unless parameters_sql_safe?(klass, value)
end
end
end
private
# Check if group params is safe for sql injection
def group_sql_safe?(klass, value)
value.each do |group_key, group_value|
if group_key.to_sym == :calculate
return false unless GROUP_CALCULATE.include?(group_value)
else
return false unless safe_for_sql?(klass, group_value)
end
end
true
end
# Check if regular params is safe for sql injection
def parameters_sql_safe?(klass, value)
value.split(',').each do |param|
return false unless safe_for_sql?(klass, param.gsub(/\A[+-]/, ''))
end
true
end
# Check if value for current class is valid for API consumption
def safe_for_sql?(klass, value)
klass.column_names.include?(value) ||
DESCENDANTS_UNDERSCORED.include?(value.singularize) ||
klass.new.respond_to?(value) ||
klass.reflect_on_all_associations.map(&:name).include?(value)
end
def apicasso_parameters
params.to_unsafe_h.slice(:group, :resource, :nested, :sort, :include)
end
end
Version data entries
4 entries across 4 versions & 1 rubygems