Class: LintFu::Rails::SqlInjectionChecker

Inherits:

Checker

Object
Checker
LintFu::Rails::SqlInjectionChecker

show all

Defined in:: lib/lint_fu/rails/sql_injection_checker.rb

Overview

Visit a Rails controller looking for ActiveRecord queries that contain interpolated strings.

Constant Summary collapse

FINDER_REGEXP =

/^(find|first|all)(_or_initialize)?(_by_.*_id)?/

SINK_OPTIONS =

Set.new([:conditions, :select, :order, :group, :from, :include, :join])

Instance Attribute Summary

Attributes inherited from Checker

#context, #file, #scan

Instance Method Summary collapse

#initialize(scan, context, filename, base_confidence = 1.0) ⇒ SqlInjectionChecker constructor

A new instance of SqlInjectionChecker.
#observe_call(sexp) ⇒ Object
#observe_class_begin(sexp) ⇒ Object
#observe_class_end(sexp) ⇒ Object
#observe_defn_begin(sexp) ⇒ Object
#observe_defn_end(sexp) ⇒ Object

Constructor Details

#initialize(scan, context, filename, base_confidence = 1.0) ⇒ `SqlInjectionChecker`

Returns a new instance of SqlInjectionChecker.

# File 'lib/lint_fu/rails/sql_injection_checker.rb', line 51

def initialize(scan, context, filename, base_confidence=1.0)
  super(scan, context, filename)
  @class_definition_scope = []
  @base_confidence = base_confidence
end

Instance Method Details

#observe_call(sexp) ⇒ `Object`

# File 'lib/lint_fu/rails/sql_injection_checker.rb', line 74

def observe_call(sexp)
  return if @class_definition_scope.empty? || !@in_method

  call    = sexp[2].to_s
  arglist = sexp[3]

  tp = tainted_params(arglist)
  if finder?(call) && !tp.empty?
    scan.issues << SqlInjection.new(scan, self.file, sexp, tp[0].to_ruby_string, @base_confidence)
  end
end

#observe_class_begin(sexp) ⇒ `Object`



57
58
59

# File 'lib/lint_fu/rails/sql_injection_checker.rb', line 57

def observe_class_begin(sexp)
  @class_definition_scope.push sexp
end

#observe_class_end(sexp) ⇒ `Object`



61
62
63

# File 'lib/lint_fu/rails/sql_injection_checker.rb', line 61

def observe_class_end(sexp)
  @class_definition_scope.pop
end

#observe_defn_begin(sexp) ⇒ `Object`

# File 'lib/lint_fu/rails/sql_injection_checker.rb', line 65

def observe_defn_begin(sexp)
  
  @in_method = true
end

#observe_defn_end(sexp) ⇒ `Object`



70
71
72

# File 'lib/lint_fu/rails/sql_injection_checker.rb', line 70

def observe_defn_end(sexp)
  @in_method = false
end