Do not treat sanitize_sql_like as safe

It does not protect against SQL injection.
presidentbeef · Dec 16, 2021 · 9494bda · 9494bda
1 parent e05a6e8
commit 9494bda
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/brakeman/checks/check_sql.rb b/lib/brakeman/checks/check_sql.rb
@@ -584,7 +584,7 @@ def check_string_arg exp
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,

diff --git a/test/tests/rails6.rb b/test/tests/rails6.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 4,
-      :generic => 34
+      :generic => 35
     }
   end
 
@@ -148,7 +148,7 @@ def test_sql_injection_date_integer_target_false_positive
   end
 
   def test_sql_injection_sanitize_sql_like
-    assert_no_warning :type => :warning,
+    assert_warning :type => :warning,
       :warning_code => 0,
       :fingerprint => "8dde11c95a0f3acb4f982ff6554ac3ba821334ee04aee7f1fb0ea01c8919baad",
       :warning_type => "SQL Injection",