Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I get false positives for SQL injection on none AR classes on count. #1667

Open
thijsnado opened this issue Jan 12, 2022 · 1 comment
Open

I get false positives for SQL injection on none AR classes on count. #1667

thijsnado opened this issue Jan 12, 2022 · 1 comment

Comments

@thijsnado
Copy link

Background

Brakeman version: 5.2.0
Rails version: 6.1.4.4
Ruby version: 2.7.5p203

Link to Rails application code: ?

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: Pipedream::Agent.count(params[:event_name], 1, :anonymous => anonymous?, :loggedIn => logged_in?)
File: app/controllers/medias_controller.rb
Line: 514

Relevant code:

Pipedream::Agent.count(event_name, 1, {anonymous: anonymous?, loggedIn: logged_in})

Why might this be a false positive?

The above code is for an analytical purposes and just logs event names with metadata. There is a chance that user input could be used to enter arbitrary data but that is of little concern to us. There are no SQL counts going on, count is probably badly named but what it does is increase the account of an event name happening.
@presidentbeef
Copy link
Owner

Hi @thijsnado - thank you for reporting. Looking at the Brakeman code, this shouldn't be happening... which scares me a little bit 😆 I will take a deeper look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thijsnado @presidentbeef