Class: Rubopolis::Cop::QueryInjection

Inherits:

RuboCop::Cop::Base

• Object
• RuboCop::Cop::Base
• Rubopolis::Cop::QueryInjection

Includes:

RuboCop::Cop::ActiveRecordHelper, RuboCop::Cop::RangeHelp

Defined in:

lib/rubopolis/cop/query_injection.rb

Overview

Examples:

# bad
User.find_by("name = 'Bruce'")
User.find_by(params[:name_query])

# good
User.find_by('name = ?', 'Bruce')
User.find_by(['name = ?', 'Bruce'])
User.find_by(name: 'Bruce')

Constant Summary

MSG =

'`%s` should be called with hash or array arguments only: see lib/custom_cops/query_injection'

Instance Method Summary

• #on_send(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ Object

# File 'lib/rubopolis/cop/query_injection.rb', line 26

def on_send(node)
  return if node.receiver.nil? && !inherit_active_record_base?(node)
  return unless method?(node)
  return unless where_or_find_by?(node)
  return if acceptable_arg?(node.arguments[0])

  # when arguments are > 1 strings, it should be templated and are most likely safe.
  return if node.arguments.length > 1

  range = offense_range(node)
  add_offense(range, message: format(MSG, @method))
end