Module: Immunio::QuotingHooks

Extended by:
ActiveSupport::Concern
Defined in:
lib/immunio/plugins/active_record.rb

Overview

Since every value that will be escaped is very likely to be param passed to a SQL query, we hook to the method escaping the values.

Params are then sent to the QueryTracker which will take care of matching the params to the query.

Constant Summary collapse

IGNORED_TYPES = 
[TrueClass, FalseClass, NilClass, Fixnum, Bignum, Float].freeze

Instance Method Summary collapse

Instance Method Details

#quote_with_immunio(value, column = nil) ⇒ Object 



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
# File 'lib/immunio/plugins/active_record.rb', line 18

def quote_with_immunio(value, column = nil)
  Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
    if column
      column_name = column.name
    else
      column_name = nil
    end

    # Ignored empty strings and values that can't contain injections.
    unless value.blank? || IGNORED_TYPES.include?(value.class)
      QueryTracker.instance.add_param column_name, value.to_s, object_id
    end

    Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
      quote_without_immunio(value, column)
    end
  end
end