Class: RuboCop::Cop::GitlabSecurity::SqlInjection

Inherits:
Base
  • Object
show all
Defined in:
lib/rubocop/cop/gitlab_security/sql_injection.rb

Overview

Check for use of where(“name = ‘#:name’”)

Passing user input to where() without parameterization can result in SQL Injection

Examples:


# bad
u = User.where("name = '#{params[:name]}'")

# good (parameters)
u = User.where("name = ? AND id = ?", params[:name], params[:id])
u = User.where(name: params[:name], id: params[:id])

Constant Summary collapse

MSG =
'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'

Instance Method Summary collapse

Instance Method Details

#on_send(node) ⇒ Object



32
33
34
35
36
37
# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 32

def on_send(node)
  return unless where_user_input?(node)
  return unless node.arguments.any? { |e| string_var_string?(e) }

  add_offense(node.loc.selector)
end

#string_var_string?(node) ⇒ Object



28
29
30
# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 28

def_node_matcher :string_var_string?, <<-PATTERN
  (dstr (str ...) (begin ...) (str ...) ...)
PATTERN

#where_user_input?(node) ⇒ Object



23
24
25
# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 23

def_node_matcher :where_user_input?, <<-PATTERN
  (send _ :where ...)
PATTERN