Module: Immunio::QuotingHooks

Extended by:

ActiveSupport::Concern

Defined in:

lib/immunio/plugins/active_record.rb

Overview

Since every value that will be escaped is very likely to be param passed to a SQL query, we hook to the method escaping the values.

Params are then sent to the QueryTracker which will take care of matching the params to the query.

Constant Summary

IGNORED_TYPES =

[TrueClass, FalseClass, NilClass, Fixnum, Bignum, Float].freeze

Instance Method Summary

• #quote_with_immunio(value, column = nil) ⇒ Object

  Passing a column to ‘quote` has been deprecated in 5.0.

Instance Method Details

#quote_with_immunio(value, column = nil) ⇒ Object

Passing a column to ‘quote` has been deprecated in 5.0.

# File 'lib/immunio/plugins/active_record.rb', line 20

def quote_with_immunio(value)
  Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
    # Ignored empty strings and values that can't contain injections.
    unless value.blank? || IGNORED_TYPES.include?(value.class)
      QueryTracker.instance.add_param nil, value.to_s, object_id
    end

    Request.pause "plugin", "#{Module.nesting[0]}::#{__method__}" do
      quote_without_immunio(value)
    end
  end
end