SQL Injection Too Blunt

Open warmwaffles opened this issue 10 months ago • 0 comments

Given this simple example:

defmodule MyApp.CustomLoader do
  import Ecto.Query

  def source do
    Dataloader.Ecto.new(MyApp.Repo, query: &query/2)
  end

  def query(queryable, params) do
    Enum.reduce(params, queryable, &handle_params/2)
  end

  defp handle_params({:order_by, order_by}, queryable) do
    order_by(queryable, ^order_by)
  end

  defp handle_params(_, queryable), do: queryable
end

The SQL "injection" is bluntly saying query is the reason.

https://github.com/nccgroup/sobelow/blob/b47ad2fbdda03894dfc4e72d635c52e9a6540832/lib/sobelow/sql/query.ex#L17

I am forced to throw # sobelow_skip ["SQL.Query"] any time I need to build out a dataloader that builds an ecto query using Ecto.Query

And then the kicker here is if I rename function from query/2 to somethingelse/2 the check doesn't care.

defmodule MyApp.CustomLoader do
  import Ecto.Query

  def source do
    Dataloader.Ecto.new(MyApp.Repo, query: &somethingelse/2)
  end

  def somethingelse(queryable, params) do
    Enum.reduce(params, queryable, &handle_params/2)
  end

  defp handle_params({:order_by, order_by}, queryable) do
    order_by(queryable, ^order_by)
  end

  defp handle_params(_, queryable), do: queryable
end

Feb 12 '25 18:02 warmwaffles