Hi Justin,
Sorry, I forgot to mention the following:
In the controller I have:
@country = Country.find(:all, :conditions => [ "LOWER(name) = ?",
params[:name].mb_chars.downcase ])
And in the view I have
<%= @country.name %>
The warning goes away if I trick Brakeman with this in the controller:
params[:name].tap do |name|
Country.find(:all, :conditions => [ "LOWER(name) = ?",
name.mb_chars.downcase ])
end
Thanks!
Ronie
On 3/13/2015 5:01 PM, Justin wrote:
> Hi Ronie,
>
> Are you sure this is the code generating the warning? I cannot reproduce
> the warning. Brakeman should definitely not be warning about this.
>
> -Justin
>
> On 2015-03-13 16:55, Ronie Henrich wrote:
>> Brakeman is reporting Unescaped parameter value when using find with
>> parameterized queries (? or named placeholders).
>>
>> Country.find(:all, :conditions => [ "LOWER(name) = ?",
>> params[:name].mb_chars.downcase ])
>>
>> params[:name] = "Robert"
>> Generated SQL:
>> SELECT * FROM countries WHERE (LOWER(name) = 'robert');
>>
>> params[:name] = "Robert');DELETE * FROM countries;"
>> Generated SQL:
>> SELECT * FROM countries WHERE (LOWER(name) =
>> 'robert'');DELETE * FROM countries;');
>>
>>
>> As ActiveRecord sanitizes the parameters in a parameterized query, is
>> there any harm that could still be done with params being unescaped on
>> the find above or is it a False Positive?
>>
>> Thanks!
>> Ronie
