Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore sanitize_sql_like in SQL #1587

Merged
merged 1 commit into from May 3, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/brakeman/checks/check_sql.rb
Expand Up @@ -572,7 +572,7 @@ def check_string_arg exp
end

IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
:sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
:to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
Expand Down
5 changes: 5 additions & 0 deletions test/apps/rails6/app/models/group.rb
Expand Up @@ -7,4 +7,9 @@ def date_in_sql
date = 30.days.ago
Arel.sql("created_at > '#{date}'")
end

def ar_sanitize_sql_like(query)
query = ActiveRecord::Base.sanitize_sql_like(query) # escaped variable
Arel.sql("name ILIKE '%#{query}%'")
end
end
14 changes: 14 additions & 0 deletions test/tests/rails6.rb
Expand Up @@ -134,6 +134,20 @@ def test_sql_injection_date_integer_target_false_positive
:user_input => s(:call, s(:call, s(:lit, 30), :days), :ago)
end


def test_sql_injection_sanitize_sql_like
assert_no_warning :type => :warning,
:warning_code => 0,
:fingerprint => "8dde11c95a0f3acb4f982ff6554ac3ba821334ee04aee7f1fb0ea01c8919baad",
:warning_type => "SQL Injection",
:line => 13,
:message => /^Possible\ SQL\ injection/,
:confidence => 1,
:relative_path => "app/models/group.rb",
:code => s(:call, s(:const, :Arel), :sql, s(:dstr, "name ILIKE '%", s(:evstr, s(:call, s(:colon2, s(:const, :ActiveRecord), :Base), :sanitize_sql_like, s(:lvar, :query))), s(:str, "%'"))),
:user_input => s(:call, s(:colon2, s(:const, :ActiveRecord), :Base), :sanitize_sql_like, s(:lvar, :query))
end

def test_cross_site_scripting_sanity
assert_warning :type => :template,
:warning_code => 2,
Expand Down