Sha256: 91fd67f149caf83331dc1bcb44bdc31148d31a6981b674b70ce11743437294f8

Contents?: true

Size: 1.32 KB

Versions: 3

Compression:

Stored size: 1.32 KB

Contents

# frozen_string_literal: true

module TaintedLove
  module Replacer
    class ReplaceActiveRecord < Base
      def should_replace?
        Object.const_defined?('ActiveRecord')
      end

      def replace!
        require 'active_record/relation'

        TaintedLove.proxy_method('ActiveRecord::QueryMethods', :where) do |_, *args|
          unless args.empty?
            f = args.first
            if f.is_a?(String) && f.tainted?
              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model.where using tainted string')
            end
          end
        end

        TaintedLove.proxy_method('ActiveRecord::QueryMethods', :select) do |_, *args|
          unless args.empty?
            f = args.first
            if f.is_a?(String) && f.tainted?
              TaintedLove.report(:ReplaceActiveRecord, f, [:sqli], 'Model#select using tainted string')
            end
          end
        end

        mod = Module.new do
          [:find_by_sql, :count_by_sql].each do |method|
            define_method(method) do |*args|
              if args.first.tainted?
                TaintedLove.report(:ReplaceActiveRecord, args.first, [:sqli], "Model##{method} using tainted string")
              end

              super(*args)
            end
          end
        end

        ActiveRecord::Base.extend(mod)
      end
    end
  end
end

Version data entries

3 entries across 3 versions & 1 rubygems

Version Path
tainted_love-0.1.5 lib/tainted_love/replacer/replace_active_record.rb
tainted_love-0.1.4 lib/tainted_love/replacer/replace_active_record.rb
tainted_love-0.1.3 lib/tainted_love/replacer/replace_active_record.rb