Check calls to Model#from and :from option for SQL

7ac9edfe · Justin Collins · 27bdeeb5 · 7ac9edfe
隐藏空白更改
内联并排

Showing with 5 addition and 3 deletion

lib/brakeman/checks/check_sql.rb lib/brakeman/checks/check_sql.rb +5 -3

未找到文件。
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -19,7 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :find, :find_by_sql, :first, :last, :maximum, :minumum, :sum]

    if tracker.options[:rails3]
-      @sql_targets.concat [:group, :having, :joins, :lock, :order, :reorder, :where]
+      @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where]
    end

    Brakeman.debug "Finding possible SQL calls on models"
@@ -157,6 +157,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                        check_order_arguments args
                      when :joins
                        check_joins_arguments args[1]
+                      when :from
+                        unsafe_sql? args[1]
                      when :lock
                        check_lock_arguments args[1]
                      else
@@ -166,8 +168,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    if dangerous_value
      add_result result

-      puts "Dangerous value: #{dangerous_value}"
-
      if input = include_user_input?(dangerous_value)
        confidence = CONFIDENCE[:high]
        user_input = input.match
@@ -367,6 +367,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                   check_joins_arguments value
                 when :lock
                   check_lock_arguments value
+                 when :from
+                   unsafe_sql? value
                 else
                   nil
                 end