labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

Brakeman enum support broken?

Open cubasepp opened this issue 6 months ago • 2 comments

Background

Brakeman version: 7.0.2 Rails version: 7.2.2.1 Ruby version: 3.4.4

Link to Rails application code: ?

Issue

When I use an enum like:

self.where("thing IN #{Model.statuses[:value]}")

I get a Possible SQL injection Waning.

I believe the add_enum_method is not up to date? code

If step into this function for some reason the first two checks are false:

return unless hash? arg
return unless symbol? arg[1]

If it's really a bug I can try to fix it, can you confirm it's broken?

Other Error

Run Brakeman with --debug to see the full stack trace.

Stack trace:

Confidence: High
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: self.where("thing IN #{Model.statuses[:value]}")
File: app/models/model.rb
Line:

cubasepp avatar Jul 08 '25 07:07 cubasepp

Yes... looks like the enum API changed in Rails 7.1.

presidentbeef avatar Jul 08 '25 23:07 presidentbeef

I tried to provide a fix. But I am not sure if I understand the test setup correct. Maybe you can give me some advice how to fix the old test! Thx.

cubasepp avatar Jul 09 '25 10:07 cubasepp