Ignore table_name() in SQL

3764a992 · Justin Collins · 427736e8 · 3764a992
隐藏空白更改
内联并排

Showing with 13 addition and 1 deletion

lib/brakeman/checks/check_sql.rb lib/brakeman/checks/check_sql.rb +13 -1

未找到文件。
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -95,7 +95,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
      when :array
        return check_arguments(arg[1])
      when :string_interp
-        return true
+        return true if check_string_interp arg
      when :call
        return check_call(arg)
      else
@@ -108,6 +108,18 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    false
  end

+  def check_string_interp arg
+    arg.each do |exp|
+      #For now, don't warn on interpolation of Model.table_name
+      #but check for other 'safe' things in the future
+      if sexp? exp and exp.node_type == :string_eval
+        if call? exp[1] and (model_name?(exp[1][1]) or exp[1][1].nil?) and exp[1][2] == :table_name
+          return false
+        end
+      end
+    end
+  end
+
  #Check call for user input and string building
  def check_call exp
    target = exp[1]