Module: Immunio::QuotingHooks
- Extended by:
- ActiveSupport::Concern
- Defined in:
- lib/immunio/plugins/active_record.rb
Overview
Since every value that will be escaped is very likely to be param passed to a SQL query, we hook to the method escaping the values.
Params are then sent to the QueryTracker which will take care of matching the params to the query.
Constant Summary collapse
- IGNORED_TYPES =
[TrueClass, FalseClass, NilClass, Fixnum, Bignum, Float].freeze
Instance Method Summary collapse
Instance Method Details
#quote_with_immunio(value, column = nil) ⇒ Object
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# File 'lib/immunio/plugins/active_record.rb', line 18 def quote_with_immunio(value, column = nil) Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do if column column_name = column.name else column_name = nil end # Ignored empty strings and values that can't contain injections. unless value.blank? || IGNORED_TYPES.include?(value.class) QueryTracker.instance.add_param column_name, value.to_s, object_id end Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do quote_without_immunio(value, column) end end end |