Skip to content

Commit f98479d

Browse files
alexrfordalexrford
committed
Ruby: prepare test case whitespace
1 parent 3614d3d commit f98479d

File tree

2 files changed

+229
-225
lines changed

2 files changed

+229
-225
lines changed

ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ class User < ApplicationRecord
88
def self.authenticate(name, pass)
99
# BAD: possible untrusted input interpolated into SQL fragment
1010
find(:first, :conditions => "name='#{name}' and pass='#{pass}'")
11+
# BAD: interpolation in array argument
12+
# find(:first, conditions: ["name='#{name}' and pass='#{pass}'"])
13+
# GOOD: using SQL parameters
14+
# find(:first, conditions: ["name = ? and pass = ?", name, pass])
1115
end
1216

1317
def self.from(user_group_id)
@@ -117,7 +121,7 @@ def some_request_handler
117121

118122
# BAD: executes `SELECT users.* FROM #{params[:tab]}`
119123
# where `params[:tab]` is unsanitized
120-
User.all.from(params[:tab])
124+
User.all.from(params[:tab])
121125
# BAD: executes `SELECT "users".* FROM (SELECT "users".* FROM "users") #{params[:sq]}
122126
User.all.from(User.all, params[:sq])
123127
end

0 commit comments

Comments
 (0)