labml icon indicating copy to clipboard operation
labml copied to clipboard

Published 20 hours ago • verified publisher icon labmlai

Cannot use brakeman to scan active record code out of rails context

Open jdehaan opened this issue 5 years ago • 3 comments

Is your feature request related to a problem? Please describe. We would love to use brakeman in context of libraries or graphql ruby backend code, not necessarily directly bound to a rails model context.

This problem was already described here (https://github.com/presidentbeef/brakeman/issues/522) but the background reasons for the request were not elaborated. I do not necessarily have the same goals as the issuer of the ticket at that time but I consider the request/idea to be a valid one.

Solving this would make brakeman usable widely.

Describe the solution you'd like brakeman ideally should be able to identify database calls (automatically identify activerecord calls ideally, maybe guided via comments?) and perform its checks on these losse code parts.

I can understand that only a subset of the available can apply in such a case but would be better than no check at all. Stepwise the implementation could be improved to support this use case better and add support for more rules. The primary target is to get information about suspicious database calls regarding SQL injection.

Describe alternatives you've considered rubocop security checks but these are poor...

Additional context Add any other context or screenshots about the feature request here.

jdehaan avatar Aug 06 '19 08:08 jdehaan

Hi @jdehaan,

brakeman ideally should be able to identify database calls (automatically identify activerecord calls ideally

What do these calls look like? Are they calls on classes? Are the classes defined in the same code base? How similar they look to ActiveRecord calls in a Rails application has a lot of impact on the feasibility of this idea.

Stepwise the implementation could be improved to support this use case better and add support for more rules.

Do you have an example of a codebase that could be supported in this manner? Again, the structure of the code has a big impact. Inferring intent of code is a very difficult problem.

presidentbeef avatar Aug 26 '19 15:08 presidentbeef

I am thinking about for example arel api calls that make use of constructed strings with use of variable contents. Or use of 'where' combined with string interpolation. I am aware that speculatively detect and report can yield a lot of false positives...

jdehaan avatar Aug 26 '19 18:08 jdehaan

I Will provide a set of examples later.

jdehaan avatar Aug 26 '19 18:08 jdehaan

Brakeman does its best to scan all Ruby files in the scan directory, so in theory this is kind of addressed.

presidentbeef avatar Jan 25 '24 06:01 presidentbeef