Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ruby): tighten sql injection patterns #465

Merged
merged 2 commits into from
Oct 7, 2024
Merged

Conversation

elsapet
Copy link
Collaborator

@elsapet elsapet commented Oct 7, 2024

Description

Some Active Record methods that are vulnerable to SQL injection are also methods used by e.g. the Enumerable class (such as count, sum). This can result in a lot of false positives from Ruby's SQLi rule.

In this PR, we tighten the SQLi patterns for these shared methods. Namely,

  • Limit caller to a suspected Active Record model (starts with a capital, but is not all caps) or associations (ends with an s)
  • Remove naked pattern (no caller)

Alternate solutions considered:

  1. Remove these shared methods entirely, given their propensity for false positives. Rejected because there is no sanitization on Active Record's end, making these methods (count especially) quite dangerous if exposed to SQL injection
  2. Restrict to user input instead of dynamic input. Rejected because a decision was taken to extend SQL injection patterns to include unsanitized dynamic input, given the potential for severe consequences from SQLi

Checklist

If this is your first time contributing please sign the CLA

  • My rule has adequate metadata to explain its use.

@elsapet elsapet requested a review from gotbadger October 7, 2024 09:03
@elsapet elsapet merged commit b6a88ee into main Oct 7, 2024
25 checks passed
@elsapet elsapet deleted the fix/ruby/sqli-pattern branch October 7, 2024 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants