Class: RuboCop::Cop::GitlabSecurity::SqlInjection

Inherits:

Base

• Object
• Base
• RuboCop::Cop::GitlabSecurity::SqlInjection

Defined in:

lib/rubocop/cop/gitlab_security/sql_injection.rb

Overview

Check for use of where(“name = ‘#:name’”)

Passing user input to where() without parameterization can result in SQL Injection

Examples:

# bad
u = User.where("name = '#{params[:name]}'")

# good (parameters)
u = User.where("name = ? AND id = ?", params[:name], params[:id])
u = User.where(name: params[:name], id: params[:id])

Constant Summary

MSG =

'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'

Instance Method Summary

• #on_send(node) ⇒ Object
• #string_var_string?(node) ⇒ Object
• #where_user_input?(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 32

def on_send(node)
  return unless where_user_input?(node)
  return unless node.arguments.any? { |e| string_var_string?(e) }

  add_offense(node.loc.selector)
end

#string_var_string?(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 28

def_node_matcher :string_var_string?, <<-PATTERN
  (dstr (str ...) (begin ...) (str ...) ...)
PATTERN

#where_user_input?(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/sql_injection.rb', line 23

def_node_matcher :where_user_input?, <<-PATTERN
  (send _ :where ...)
PATTERN