Sha256: 6cf986c20a26d5d5de8be29d7f148d24e4cfd6ae02a74f63564433b2fd0e07cb
Contents?: true
Size: 1.24 KB
Versions: 2
Compression:
Stored size: 1.24 KB
Contents
require 'railroader/checks/base_check'
# This check looks for regexes that include user input.
class Railroader::CheckDynamicFinders < Railroader::BaseCheck
Railroader::Checks.add self
@description = "Check unsafe usage of find_by_*"
def run_check
if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
tracker.find_call(:method => /^find_by_/).each do |result|
process_result result
end
end
end
def process_result result
return unless original? result
call = result[:call]
if potentially_dangerous? call.method
call.each_arg do |arg|
if params? arg and not safe_call? arg
warn :result => result,
:warning_type => "SQL Injection",
:warning_code => :sql_injection_dynamic_finder,
:message => "MySQL integer conversion may cause 0 to match any string",
:confidence => :medium,
:user_input => arg
break
end
end
end
end
def safe_call? arg
return false unless call? arg
meth = arg.method
meth == :to_s or meth == :to_i
end
def potentially_dangerous? method_name
method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| railroader-4.3.8 | lib/railroader/checks/check_dynamic_finders.rb |
| railroader-4.3.7 | lib/railroader/checks/check_dynamic_finders.rb |