Merge pull request #630 from presidentbeef/to_sym_is_not_a_model_attribute

Avoid SQL warning about to_sym as a model attribute

Merge pull request #630 from presidentbeef/to_sym_is_not_a_model_attribute
Avoid SQL warning about to_sym as a model attribute
e0d94df6 · Justin · e49aa2f7 · f3a41e00 · e0d94df6 · e0d94df6
Showing with 29 addition and 2 deletion

lib/brakeman/checks/check_sql.rb lib/brakeman/checks/check_sql.rb +1 -1

test/apps/rails4/app/models/user.rb test/apps/rails4/app/models/user.rb +4 -0

test/tests/rails4.rb test/tests/rails4.rb +24 -1

未找到文件。
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -558,7 +558,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    when :str, :lit, :const, :colon2, :nil, :true, :false
      true
    when :call
-      if exp.method == :to_s
+      if exp.method == :to_s or exp.method == :to_sym
        safe_value? exp.target
      else
        IGNORE_METHODS_IN_SQL.include? exp.method or

--- a/test/apps/rails4/app/models/user.rb
+++ b/test/apps/rails4/app/models/user.rb
@@ -8,4 +8,8 @@ class User < ActiveRecord::Base
  def arel_exists
    where(User.where(User.arel_table[:object_id].eq(arel_table[:id])).exists)
  end
+
+  def symbol_stuff
+    self.where(User.table_name.to_sym)
+  end
 end
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -16,7 +16,7 @@ class Rails4Tests < Test::Unit::TestCase
      :controller => 0,
      :model => 1,
      :template => 3,
-      :generic => 50
+      :generic => 51
    }
  end

@@ -598,6 +598,29 @@ class Rails4Tests < Test::Unit::TestCase
      :user_input => s(:call, s(:params), :[], s(:lit, :x))
  end

+  def test_sql_injection_ignore_to_sym
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "f2e6d5d952c841a148c086beb09ad2961ab9854215f3665babd574aaa4aaaf83",
+      :warning_type => "SQL Injection",
+      :line => 13,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/models/user.rb",
+      :user_input => s(:call, s(:call, s(:const, :User), :table_name), :to_sym)
+
+    # This is a side effect of the test above
+    assert_warning :type => :warning,
+      :warning_code => 59,
+      :fingerprint => "80fce17f43faed45ada3a85acd3902ab32478e585190b25dbb4d5ce483a463f7",
+      :warning_type => "Denial of Service",
+      :line => 13,
+      :message => /^Symbol\ conversion\ from\ unsafe\ string\ \(mo/,
+      :confidence => 1,
+      :relative_path => "app/models/user.rb",
+      :user_input => s(:call, s(:const, :User), :table_name)
+  end
+
  def test_additional_libs_option
    assert_warning :type => :warning,
      :warning_code => 14,