Hey,
thank you very much for fast answer.
> AFAIK that query is certainly safe.
> > I'm fairly certain you can ignore this warning, although I'm not really
> > familiar with the Arel internals (and I didn't see much documentation).
Thats good to know. And yes didn't see much documentation myself. Which
is a pity since arel can do nice tricks and as I also already assumed in
a safe manner.
Thanks again.
-k_merz
>
> Was the the actual code snippet or was it a normalized version? Without any
> user supplied input, brakeman should warn at all. Seems like
> Posts.arel_table would raise an error :)
>
> Neil Matatall
> @nilematotle
>
>
> On Friday, July 13, 2012 at 1:53 PM, Justin Collins wrote:
>
> > On 07/13/2012 01:23 PM, Konrad Merz wrote:
> > > Hey,
> > >
> > > we use Brakeman and first of all are really happy with it.
> > >
> > > But I got a question. Brakeman warns about sql injection in
> > > on some code where I would not have suspected it.
> > >
> > > Afaik arel_table is considered to be sql santizied. So I got code
> > > like this:
> > >
> > > ar_table = Posts.arel_table
> > > @posts = Post.where(ar_table[:itype].eq("SpecialPost"))
> > >
> > > and Brakeman warns. I guess because I don't have hash as parameter
> > > for where but arel_table.
> > >
> > > Can I ignore the warning, or do I misunderstand the concept of
> > > arel_table?
> > >
> > > -kmerz
> > Hi,
> >
> > Glad Brakeman is working for you.
> >
> > I'm fairly certain you can ignore this warning, although I'm not really
> > familiar with the Arel internals (and I didn't see much documentation).
> >
> > Brakeman is being overly aggressive when it comes to method calls on
> > model classes, because there are so many dynamic methods that Rails
> > uses. There should probably be some checks to make sure it doesn't warn
> > on methods that are known to be safe. I'll put it on my list.
> >
> > Thanks,
> > Justin
> >
> >
>
>
--
Konrad Merz
genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
