Merge pull request #79 from presidentbeef/dont_check_find_by_methods_for_sql

Don't check find_by_* methods for sql

lib/brakeman/checks/check_sql.rb

@@ -17,9 +17,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @rails_version = tracker.config[:rails_version]
 
     if tracker.options[:rails3]
-      @sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
+      @sql_targets = /^(find|find_by_sql|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
     else
-      @sql_targets = /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
+      @sql_targets = /^(find|find_by_sql|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
     end
 
     Brakeman.debug "Finding possible SQL calls on models"

test/apps/rails2/app/controllers/home_controller.rb

@@ -112,6 +112,10 @@ class HomeController < ApplicationController
     params["something"] = h(params["something"])
   end
 
+  def test_safe_find_by
+    User.find_or_create_by_name(params[:name], :code => (params[:x] + "code"))
+  end
+
   private
 
   def filter_it

test/tests/test_rails2.rb

@@ -219,6 +219,15 @@ class Rails2Tests < Test::Unit::TestCase
       :file => /user\.rb/
   end
 
+  def test_sql_user_input_in_find_by
+    assert_no_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 116,
+      :message => /^Possible SQL injection near line 116: User.find_or_create_by_name/,
+      :confidence => 0,
+      :file => /home_controller\.rb/
+  end
+
   def test_csrf_protection
     assert_warning :type => :controller,
       :warning_type => "Cross-Site Request Forgery",