Class: RuboCop::Cop::Airbnb::RiskyActiverecordInvocation

Inherits:

Base

• Object
• Base
• RuboCop::Cop::Airbnb::RiskyActiverecordInvocation

Defined in:

lib/rubocop/cop/airbnb/risky_activerecord_invocation.rb

Overview

Disallow ActiveRecord calls that pass interpolated or added strings as an argument.

Constant Summary

VULNERABLE_AR_METHODS =

[
  :delete_all,
  :destroy_all,
  :exists?,
  :execute,
  :find_by_sql,
  :group,
  :having,
  :insert,
  :order,
  :pluck,
  :reorder,
  :select,
  :select_rows,
  :select_values,
  :select_all,
  :update_all,
  :where,
].freeze

MSG =

'Passing a string computed by interpolation or addition to an ActiveRecord ' \
'method is likely to lead to SQL injection. Use hash or parameterized syntax. For ' \
'more information, see ' \
'http://guides.rubyonrails.org/security.html#sql-injection-countermeasures and ' \
'https://rails-sqli.org/rails3. If you have confirmed with Security that this is a ' \
'safe usage of this style, disable this alert with ' \
'`# rubocop:disable Airbnb/RiskyActiverecordInvocation`.'.freeze

Instance Method Summary

• #includes_interpolation?(args) ⇒ Boolean

  Return true if the first arg is a :dstr that has non-:str components.

• #includes_sum?(args) ⇒ Boolean
• #on_send(node) ⇒ Object
• #vulnerable_ar_method?(method) ⇒ Boolean

Instance Method Details

#includes_interpolation?(args) ⇒ Boolean

Return true if the first arg is a :dstr that has non-:str components

Returns:

• (Boolean)

# File 'lib/rubocop/cop/airbnb/risky_activerecord_invocation.rb', line 49

def includes_interpolation?(args)
  !args.first.nil? &&
    args.first.type == :dstr &&
    args.first.each_child_node.any? { |child| child.type != :str }
end

#includes_sum?(args) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rubocop/cop/airbnb/risky_activerecord_invocation.rb', line 55

def includes_sum?(args)
  !args.first.nil? &&
    args.first.type == :send &&
    args.first.method_name == :+
end

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/airbnb/risky_activerecord_invocation.rb', line 32

def on_send(node)
  receiver, method_name, *_args = *node

  return if receiver.nil?
  return unless vulnerable_ar_method?(method_name)
  if !includes_interpolation?(_args) && !includes_sum?(_args)
    return
  end

  add_offense(node)
end

#vulnerable_ar_method?(method) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rubocop/cop/airbnb/risky_activerecord_invocation.rb', line 44

def vulnerable_ar_method?(method)
  VULNERABLE_AR_METHODS.include?(method)
end