class Railroader::CheckDynamicFinders

This check looks for regexes that include user input.

Public Instance Methods

potentially_dangerous?(method_name) click to toggle source
# File lib/railroader/checks/check_dynamic_finders.rb, line 45
def potentially_dangerous? method_name
  method_name.match /^find_by_.*(token|guid|password|api_key|activation|code|private|reset)/
end
process_result(result) click to toggle source
# File lib/railroader/checks/check_dynamic_finders.rb, line 17
def process_result result
  return unless original? result

  call = result[:call]

  if potentially_dangerous? call.method
    call.each_arg do |arg|
      if params? arg and not safe_call? arg
        warn :result => result,
          :warning_type => "SQL Injection",
          :warning_code => :sql_injection_dynamic_finder,
          :message => "MySQL integer conversion may cause 0 to match any string",
          :confidence => :medium,
          :user_input => arg

        break
      end
    end
  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_dynamic_finders.rb, line 9
def run_check
  if tracker.config.has_gem? :mysql and version_between? '2.0.0', '4.1.99'
    tracker.find_call(:method => /^find_by_/).each do |result|
      process_result result
    end
  end
end
safe_call?(arg) click to toggle source
# File lib/railroader/checks/check_dynamic_finders.rb, line 38
def safe_call? arg
  return false unless call? arg

  meth = arg.method
  meth == :to_s or meth == :to_i
end