Class: RuboCop::Cop::GitlabSecurity::SqlInjection
- Inherits:
-
Base
- Object
- Base
- RuboCop::Cop::GitlabSecurity::SqlInjection
- Defined in:
- lib/rubocop/cop/gitlab_security/sql_injection.rb
Overview
Check for use of where(“name = ‘#:name’”)
Passing user input to where() without parameterization can result in SQL Injection
Constant Summary collapse
- MSG =
'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'
Instance Method Summary collapse
Instance Method Details
#on_send(node) ⇒ Object
32 33 34 35 36 37 |
# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 32 def on_send(node) return unless where_user_input?(node) return unless node.arguments.any? { |e| string_var_string?(e) } add_offense(node.loc.selector) end |
#string_var_string?(node) ⇒ Object
28 29 30 |
# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 28 def_node_matcher :string_var_string?, <<-PATTERN (dstr (str ...) (begin ...) (str ...) ...) PATTERN |
#where_user_input?(node) ⇒ Object
23 24 25 |
# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 23 def_node_matcher :where_user_input?, <<-PATTERN (send _ :where ...) PATTERN |