Unscoped find with `find` and `find_by`

[fidalgo]

Background

Brakeman version: 5.1.1 Rails version: 6.1.4 Ruby version: 2.7.2

Link to Rails application code: Unscoped call to Organization#find near line 11: Organization.find(params[:organiser_id])

False Positive

Full warning from Brakeman: ?

Relevant code: Unscoping find:

    @organiser = Organization.find(params[:organiser_id])

This code shows not warning:

    @organiser = Organization.find_by(id: params[:organiser_id])

Why might this be a false positive? According to the documentation the passed arguments will be used to query by id . The values are coerced to the integer.

[presidentbeef]

Just so I understand, you want Organization.find_by(id: params[:organiser_id]) to warn about an unscoped find vulnerability, right?

[fidalgo]

@presidentbeef I was thinking otherwise, do not raise a warning when you're using find(parameters[:random] because the value would be coerced to an Integer, just like find_by(id: Integer) which does not raise a warning, I may be missing something, but it seems to me the statements are equivalent, if not, could you please point to the direction to understand it better?

[presidentbeef]

find_by(id: ...) should raise a warning, though.

I believe you are thinking about SQL injection.

The intent of this warning is to point out cases of insecure direct object reference - a database row is looked up directly by its ID when it (maybe) should be scoped to its association instead. Note this is an optional check turned off by default because it is prone to false positives.

More info on this here: https://brakemanscanner.org/docs/warning_types/unscoped_find/