Sha256: 91fd67f149caf83331dc1bcb44bdc31148d31a6981b674b70ce11743437294f8
Contents?: true
Size: 1.32 KB
Versions: 3
Compression:
Stored size: 1.32 KB
Contents
# frozen_string_literal: true module TaintedLove module Replacer class ReplaceActiveRecord < Base def should_replace? Object.const_defined?('ActiveRecord') end def replace! require 'active_record/relation' TaintedLove.proxy_method('ActiveRecord::QueryMethods', :where) do |_, *args| unless args.empty? f = args.first if f.is_a?(String) && f.tainted? TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model.where using tainted string') end end end TaintedLove.proxy_method('ActiveRecord::QueryMethods', :select) do |_, *args| unless args.empty? f = args.first if f.is_a?(String) && f.tainted? TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model#select using tainted string') end end end mod = Module.new do [:find_by_sql, :count_by_sql].each do |method| define_method(method) do |*args| if args.first.tainted? TaintedLove.report(:ReplaceActiveRecord, args.first, [:sqli], "Model##{method} using tainted string") end super(*args) end end end ActiveRecord::Base.extend(mod) end end end end
Version data entries
3 entries across 3 versions & 1 rubygems