Possible SQL injection Open
docs = category.documents.reorder("#{sort_by} DESC")
- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Possible SQL injection Open
docs = category.documents.reorder("#{sort_by} ASC")
- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Method Category.update_category_order
is defined at both app/models/category.rb:20 and app/models/category.rb:34. Open
def self.update_category_order(order)
- Read upRead up
- Exclude checks
This cop checks for duplicated instance (or singleton) method definitions.
Example:
# bad
def duplicated
1
end
def duplicated
2
end
Example:
# bad
def duplicated
1
end
alias duplicated other_duplicated
Example:
# good
def duplicated
1
end
def other_duplicated
2
end
end
at 38, 4 is not aligned with def
at 34, 1. Open
end
- Read upRead up
- Exclude checks
This cop checks whether the end keywords of method definitions are aligned properly.
Two modes are supported through the EnforcedStyleAlignWith configuration
parameter. If it's set to start_of_line
(which is the default), the
end
shall be aligned with the start of the line where the def
keyword is. If it's set to def
, the end
shall be aligned with the
def
keyword.
Example: EnforcedStyleAlignWith: startofline (default)
# bad
private def foo
end
# good
private def foo
end
Example: EnforcedStyleAlignWith: def
# bad
private def foo
end
# good
private def foo
end
end
at 7, 3 is not aligned with def
at 4, 1. Open
end
- Read upRead up
- Exclude checks
This cop checks whether the end keywords of method definitions are aligned properly.
Two modes are supported through the EnforcedStyleAlignWith configuration
parameter. If it's set to start_of_line
(which is the default), the
end
shall be aligned with the start of the line where the def
keyword is. If it's set to def
, the end
shall be aligned with the
def
keyword.
Example: EnforcedStyleAlignWith: startofline (default)
# bad
private def foo
end
# good
private def foo
end
Example: EnforcedStyleAlignWith: def
# bad
private def foo
end
# good
private def foo
end
end
at 37, 8 is not aligned with order.each_with_index do |id, i|
at 35, 2. Open
end
- Read upRead up
- Exclude checks
This cop checks whether the end keywords are aligned properly for do end blocks.
Three modes are supported through the EnforcedStyleAlignWith
configuration parameter:
start_of_block
: the end
shall be aligned with the
start of the line where the do
appeared.
start_of_line
: the end
shall be aligned with the
start of the line where the expression started.
either
(which is the default) : the end
is allowed to be in either
location. The autofixer will default to start_of_line
.
Example: EnforcedStyleAlignWith: either (default)
# bad
foo.bar
.each do
baz
end
# good
variable = lambda do |i|
i
end
Example: EnforcedStyleAlignWith: startofblock
# bad
foo.bar
.each do
baz
end
# good
foo.bar
.each do
baz
end
Example: EnforcedStyleAlignWith: startofline
# bad
foo.bar
.each do
baz
end
# good
foo.bar
.each do
baz
end