presidentbeef/brakeman

View on GitHub
lib/brakeman/checks/check_dynamic_finders.rb

Summary

Maintainability
A
0 mins
Test Coverage
A
100%
require 'brakeman/checks/base_check'

#This check looks for regexes that include user input.
class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Check unsafe usage of find_by_*"

  def run_check
    if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
      tracker.find_call(:method => /^find_by_/).each do |result|
        process_result result
      end
    end
  end

  def process_result result
    return unless original? result

    call = result[:call]

    if potentially_dangerous? call.method
      call.each_arg do |arg|
        if params? arg and not safe_call? arg
          warn :result => result,
            :warning_type => "SQL Injection",
            :warning_code => :sql_injection_dynamic_finder,
            :message => "MySQL integer conversion may cause 0 to match any string",
            :confidence => :medium,
            :user_input => arg

          break
        end
      end
    end
  end

  def safe_call? arg
    return false unless call? arg

    meth = arg.method
    meth == :to_s or meth == :to_i
  end

  def potentially_dangerous? method_name
    method_name.match(/^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/)
  end
end