labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Warn about sanitize_sql with a string argument

Open avit opened this issue 6 years ago • 2 comments

Is your feature request related to a problem? Please describe.

The sanitize_sql method signature is designed to receive an array with ["sql template", *values] that it uses for quoting and replacing placeholders.

When a string is passed instead of an array, sanitize_sql is a no-op, and the original string is returned unchanged.

Describe the solution you'd like

Queries like where(sanitize_sql("id > #{params[:id]}")) should cause a warning for SQL injection since the sanitize method has no effect.

Additional context

Adding this warning would plug an obvious hole for possible injections, but I suspect this misleading use of sanitize_sql(str) is also being used to silence false-positives when interpolating strings of known-safe SQL. See https://github.com/presidentbeef/brakeman/issues/1401#issuecomment-582764673 for a possible way forward.

avit avatar Feb 06 '20 07:02 avit

Warn on sanitize_sql("some #{interpolated} string") or just don't treat sanitize_sql as safe when passed a string?

presidentbeef avatar Feb 06 '20 08:02 presidentbeef

sanitize_sql("constant literal") indeed seems safe but is misleading. That's probably more of a linting question (rubocop).

avit avatar Feb 06 '20 18:02 avit