You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
classEarth::QuotesPresenterattr_reader:quotesdeffetch@quotes=Quote.all# SOME OTHER CODEifparams[:search_text].present?ifparams[:exact_match].presence == 'true'@quotes=@quotes.where(reply: params[:search_text])elsesearch_query=params[:search_text].split(' ').map{ |word| "CONCAT(' ', reply, ' ') LIKE '% #{word} %'"}.join(' AND ')@quotes=@quotes.where(search_query)endendend
Then you hit the URL using search_text=SQLI (avoiding spaces because they are split) and exact_match=false.
Brakeman is being run on the whole project and not only on this file so I guess the @quotes variable is being resolved. Could it not be resolved by brakeman somehow?
Because in my rails console when I query for pry(main)> Quote.all it properly returns all quotes from the database and when running the project the results are presented properly inside the page.
Background
Brakeman version: 5.1.2
Rails version: 6.1.4.1
Ruby version: 2.5.5
Rails application code
Cannot disclose the full code but I can disclose the offending part which seems pretty clear.
Issue
False negative SQLi using
.map
.This is actually a legit SQL Injection point but brakeman fails to catch it.
The text was updated successfully, but these errors were encountered: