On 07/13/2012 01:23 PM, Konrad Merz wrote:
> Hey,
>
> we use Brakeman and first of all are really happy with it.
>
> But I got a question. Brakeman warns about sql injection in
> on some code where I would not have suspected it.
>
> Afaik arel_table is considered to be sql santizied. So I got code
> like this:
>
> ar_table = Posts.arel_table
> @posts = Post.where(ar_table[:itype].eq("SpecialPost"))
>
> and Brakeman warns. I guess because I don't have hash as parameter
> for where but arel_table.
>
> Can I ignore the warning, or do I misunderstand the concept of
> arel_table?
>
> -kmerz
>
Hi,Glad Brakeman is working for you. I'm fairly certain you can ignore this warning, although I'm not really familiar with the Arel internals (and I didn't see much documentation). Brakeman is being overly aggressive when it comes to method calls on model classes, because there are so many dynamic methods that Rails uses. There should probably be some checks to make sure it doesn't warn on methods that are known to be safe. I'll put it on my list. Thanks, Justin
