CheckSQL: Ignore sanitize methods in interpolation

bbcdc7fc · Justin Collins · fbe67ebd · bbcdc7fc
隐藏空白更改
内联并排

Showing with 4 addition and 1 deletion

lib/brakeman/checks/check_sql.rb lib/brakeman/checks/check_sql.rb +4 -1

未找到文件。
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -454,7 +454,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    end
  end

-  IGNORE_METHODS_IN_SQL = Set[:id, :table_name, :to_i, :to_f]
+  IGNORE_METHODS_IN_SQL = Set[:id, :table_name, :to_i, :to_f,
+    :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
+    :sanitize_sql_for_conditions, :sanitize_sql_hash,
+    :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions]

  def safe_value? exp
    return true unless sexp? exp