[英]Rails Brakeman SQL injection warning when using Arel syntax
In my Rails 3.2 app, Brakeman 1.8.3 raises a High confidence SQL injection warning for the following code in a model: 在我的Rails 3.2应用程序中, Brakeman 1.8.3针对模型中的以下代码引发高置信度SQL注入警告:
micropost.rb micropost.rb
def self.from_users_followed_by(user)
followed_user_ids = Relationship.select(:followed_id).
where("follower_id = :user_id").
to_sql
where("user_id IN (#{followed_user_ids}) OR user_id = :user_id",
user_id: user.id)
end
However, when I change the code to not use Arel syntax, no warning is raised: 但是,当我将代码更改为不使用Arel语法时,不会引发警告:
def self.from_users_followed_by(user)
followed_user_ids = "SELECT followed_id FROM relationships
WHERE follower_id = :user_id"
where("user_id IN (#{followed_user_ids}) OR user_id = :user_id",
user_id: user.id)
end
Is this a false positive, or something to do with Arel syntax or the to_sql
method...? 这是误报,还是与Arel语法或
to_sql
方法有关...? I don't understand what the difference is between the actual code that gets executed in the two examples that would warrant the warning. 我不明白在两个值得警告的示例中执行的实际代码之间的区别是什么。
It's a false positive. 这是一个误报。
In this situation, Brakeman knows Relationship
is a model, and that select
and where
are query methods. 在这种情况下,Brakeman知道
Relationship
是一个模型,并且select
和where
是查询方法。 So it assumes Relationship.select(...).where(...).to_sql
is a record attribute (and potentially dangerous). 因此,假设
Relationship.select(...).where(...).to_sql
是记录属性(并且可能是危险的)。 It shouldn't, though, since to_sql
just generates the SQL code for the query as you mentioned. 但是,不应该这样,因为
to_sql
只是为您生成的查询生成SQL代码。 I'll fix this. 我会解决这个问题。
The second version of course does not warn because you are interpolating a string literal. 当然,第二个版本不会发出警告,因为您正在插入字符串文字。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.