Sha256: 99482ae950b15f993e37517459d74a888b4924d1fcdbba6f6dd750f5f1039baf

Contents?: true

Size: 1.21 KB

Versions: 5

Compression:

Stored size: 1.21 KB

Contents

# frozen_string_literal: true

module RuboCop
  module Cop
    module GitlabSecurity
      # Check for use of where("name = '#{params[:name]}'")
      #
      # Passing user input to where() without parameterization can result in SQL Injection
      #
      # @example
      #
      #   # bad
      #   u = User.where("name = '#{params[:name]}'")
      #
      #   # good (parameters)
      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
      #   u = User.where(name: params[:name], id: params[:id])
      #
      class SqlInjection < RuboCop::Cop::Base
        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'

        # @!method where_user_input?(node)
        def_node_matcher :where_user_input?, <<-PATTERN
          (send _ :where ...)
        PATTERN

        # @!method string_var_string?(node)
        def_node_matcher :string_var_string?, <<-PATTERN
          (dstr (str ...) (begin ...) (str ...) ...)
        PATTERN

        def on_send(node)
          return unless where_user_input?(node)
          return unless node.arguments.any? { |e| string_var_string?(e) }

          add_offense(node.loc.selector)
        end
      end
    end
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version Path
gitlab-styles-13.0.1 lib/rubocop/cop/gitlab_security/sql_injection.rb
gitlab-styles-13.0.0 lib/rubocop/cop/gitlab_security/sql_injection.rb
gitlab-styles-11.0.0 lib/rubocop/cop/gitlab_security/sql_injection.rb
gitlab-styles-10.1.0 lib/rubocop/cop/gitlab_security/sql_injection.rb
gitlab-styles-10.0.0 lib/rubocop/cop/gitlab_security/sql_injection.rb