Class: RuboCop::Cop::GitlabSecurity::SqlInjection

Inherits:

Cop

Object
Cop
RuboCop::Cop::GitlabSecurity::SqlInjection

show all

Defined in:: lib/rubocop/cop/gitlab-security/sql_injection.rb

Overview

Check for use of where(“name = ‘#:name’”)

Passing user input to where() without parameterization can result in SQL Injection

Examples:


# bad
u = User.where("name = '#{params[:name]}'")

# good (parameters)
u = User.where("name = ? AND id = ?", params[:name], params[:id])
u = User.where(name: params[:name], id: params[:id])

Constant Summary collapse

MSG =

'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.
If this warning is in error you can white-list the line with `#rubocop:disable GitlabSecurity/SqlInjection`'.freeze

Instance Method Summary collapse

#on_send(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ `Object`

# File 'lib/rubocop/cop/gitlab-security/sql_injection.rb', line 29

def on_send(node)
  return unless where_user_input?(node)
  return unless node.arguments.any? { |e| string_var_string?(e) }

  add_offense(node, location: :selector)
end

Class: RuboCop::Cop::GitlabSecurity::SqlInjection

Overview

Examples:

Constant Summary collapse

Instance Method Summary collapse

Instance Method Details

#on_send(node) ⇒ Object

#on_send(node) ⇒ `Object`