Skip to content

SQL Injection Too Blunt #177

New issue
New issue
Open
Open
SQL Injection Too Blunt#177
@warmwaffles

Description

@warmwaffles
warmwaffles
opened on Feb 12, 2025

Given this simple example:

defmodule MyApp.CustomLoader do
  import Ecto.Query

  def source do
    Dataloader.Ecto.new(MyApp.Repo, query: &query/2)
  end

  def query(queryable, params) do
    Enum.reduce(params, queryable, &handle_params/2)
  end

  defp handle_params({:order_by, order_by}, queryable) do
    order_by(queryable, ^order_by)
  end

  defp handle_params(_, queryable), do: queryable
end

The SQL "injection" is bluntly saying query is the reason.

sobelow/lib/sobelow/sql/query.ex

Line 17 in b47ad2f

@query_funcs [:query, :query!]

I am forced to throw # sobelow_skip ["SQL.Query"] any time I need to build out a dataloader that builds an ecto query using Ecto.Query

And then the kicker here is if I rename function from query/2 to somethingelse/2 the check doesn't care.

defmodule MyApp.CustomLoader do
  import Ecto.Query

  def source do
    Dataloader.Ecto.new(MyApp.Repo, query: &somethingelse/2)
  end

  def somethingelse(queryable, params) do
    Enum.reduce(params, queryable, &handle_params/2)
  end

  defp handle_params({:order_by, order_by}, queryable) do
    order_by(queryable, ^order_by)
  end

  defp handle_params(_, queryable), do: queryable
end

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions