使用Arel语法时的Rails Brakeman SQL注入警告
[英]Rails Brakeman SQL injection warning when using Arel syntax
问题描述
In my Rails 3.2 app, Brakeman 1.8.3 raises a High confidence SQL injection warning for the following code in a model: 
在我的Rails 3.2应用程序中, Brakeman 1.8.3针对模型中的以下代码引发高置信度SQL注入警告:
micropost.rb micropost.rb
def self.from_users_followed_by(user)
followed_user_ids = Relationship.select(:followed_id).
where("follower_id = :user_id").
to_sql
where("user_id IN (#{followed_user_ids}) OR user_id = :user_id",
user_id: user.id)
end
However, when I change the code to not use Arel syntax, no warning is raised: 但是,当我将代码更改为不使用Arel语法时,不会引发警告:
def self.from_users_followed_by(user)
followed_user_ids = "SELECT followed_id FROM relationships
WHERE follower_id = :user_id"
where("user_id IN (#{followed_user_ids}) OR user_id = :user_id",
user_id: user.id)
end
Is this a false positive, or something to do with Arel syntax or the to_sql method...? 这是误报,还是与Arel语法或to_sql方法有关...? I don't understand what the difference is between the actual code that gets executed in the two examples that would warrant the warning. 我不明白在两个值得警告的示例中执行的实际代码之间的区别是什么。
1 个解决方案
解决方案1
3 已采纳 2012-11-29 15:09:48
It's a false positive. 这是一个误报。
In this situation, Brakeman knows Relationship is a model, and that select and where are query methods. 在这种情况下,Brakeman知道Relationship是一个模型,并且select和where是查询方法。 So it assumes Relationship.select(...).where(...).to_sql is a record attribute (and potentially dangerous). 因此,假设Relationship.select(...).where(...).to_sql是记录属性(并且可能是危险的)。 It shouldn't, though, since to_sql just generates the SQL code for the query as you mentioned. 但是,不应该这样,因为to_sql只是为您生成的查询生成SQL代码。 I'll fix this. 我会解决这个问题。
The second version of course does not warn because you are interpolating a string literal. 当然,第二个版本不会发出警告,因为您正在插入字符串文字。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.