Class: LintFu::Plugins::Rails::SqlInjection

Inherits:

Issue

• Object
• Issue
• LintFu::Plugins::Rails::SqlInjection

Defined in:

lib/lint_fu/plugins/rails/sql_injection_checker.rb

Instance Attribute Summary

Attributes inherited from Issue

#confidence, #file, #sexp

Instance Method Summary

• #brief ⇒ Object
• #detail ⇒ Object
• #initialize(scan, file, sexp, subject, confidence = 1.0) ⇒ SqlInjection constructor

  A new instance of SqlInjection.

• #reference_info ⇒ Object

Methods inherited from Issue

#file_basename, #issue_hash, #line, #relative_file

Constructor Details

#initialize(scan, file, sexp, subject, confidence = 1.0) ⇒ SqlInjection

Returns a new instance of SqlInjection.

# File 'lib/lint_fu/plugins/rails/sql_injection_checker.rb', line 4

def initialize(scan, file, sexp, subject, confidence=1.0)
  super(scan, file, sexp, confidence)
  @subject = subject
end

Instance Method Details

#brief ⇒ Object

# File 'lib/lint_fu/plugins/rails/sql_injection_checker.rb', line 9

def brief
  "SQL Injection"
end

#detail ⇒ Object

# File 'lib/lint_fu/plugins/rails/sql_injection_checker.rb', line 13

def detail
  return "Could a bad guy insert SQL fragments into <code>#{@subject}</code>?"
end

#reference_info ⇒ Object

# File 'lib/lint_fu/plugins/rails/sql_injection_checker.rb', line 17

def reference_info
  return <<EOF
h4. What is it?

A SQL injection vulnerability happens when input from an untrusted source is passed to ActiveRecord in a way that causes it to be interpreted as SQL. If users can inject SQL, they own your database, game over.

"Untrusted source" is usually the network but it could be a file on disk, or even a column in the database.

h4. When does it happen?

The most common source of SQL injection is request parameters that are used without properly escaping them.

bc. Account.first(:conditions=>"name like '\#{params[:name]}'")
User.all(:order=>params[:order_by])

h4. How do I fix it?

Instead of using query parameters directly, make a habit of _always_ using query parameter replacement:

bc. Account.first(:conditions=>[ 'name like ?', params[:name] ])

If you cannot use parameter replacement, escape the string manually using @ActiveRecord::Base#sanitize@.

bc. User.all(:order=>ActiveRecord::Base.sanitize(params[:order_by]))
EOF
end