Module: Immunio::QuotingHooks

Extended by:

ActiveSupport::Concern

Defined in:

lib/immunio/plugins/active_record.rb

Overview

Since every value that will be escaped is very likely to be param passed to a SQL query, we hook to the method escaping the values.

Params are then sent to the QueryTracker which will take care of matching the params to the query.

Constant Summary

IGNORED_TYPES =

[TrueClass, FalseClass, NilClass, Fixnum, Bignum, Float].freeze

Instance Method Summary

• #quote_with_immunio(value, column = nil) ⇒ Object

  Passing a column to ‘quote` has been deprecated in 5.0.

Instance Method Details

#quote_with_immunio(value, column = nil) ⇒ Object

Passing a column to ‘quote` has been deprecated in 5.0.

# File 'lib/immunio/plugins/active_record.rb', line 20

def quote_with_immunio(value)
  if Request.current
    Request.time "plugin", "#{Module.nesting[0]}::#{__method__}" do
      # Ignored empty strings and values that can't contain injections.
      unless value.blank? || IGNORED_TYPES.include?(value.class)
        QueryTracker.instance.add_param nil, value.to_s, object_id
      end
    end
  end

  quote_without_immunio(value)
end