> With the ActiveRecord API as is, it’s relatively easy to write
> applications with SQL injection bugs, and those bugs don’t particularly
> stand out in code reviews. For example,
> Customer.where("name like "%#{params[:id]}%")
>
> While a careful security code review would likely spot this type of bug,
> there is still a significant risk that it’d be missed, in particular in an
> agile project with frequent releases that can’t afford to do an in-depth
> security review between each release.
>
It is possible to overlook user input in string interpolations - especially
if they have been given a temporary variable name, not just params[thing].
But that is one of the things Brakeman is good at detecting already:
https://github.com/presidentbeef/brakeman
--
Cynthia Kiser
[email protected]
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
