Re: [brakeman] Arel Table Sql Injectioin?

[Konrad Merz]

Hey,

thank you very much for fast answer.

> AFAIK that query is certainly safe.
> > I'm fairly certain you can ignore this warning, although I'm not really 
> > familiar with the Arel internals (and I didn't see much documentation).

Thats good to know. And yes didn't see much documentation myself. Which
is a pity since arel can do nice tricks and as I also already assumed in
a safe manner.

Thanks again.

-k_merz

> 
> Was the the actual code snippet or was it a normalized version?  Without any 
> user supplied input, brakeman should warn at all.  Seems like 
> Posts.arel_table would raise an error :) 
> 
> Neil Matatall
> @nilematotle
> 
> 
> On Friday, July 13, 2012 at 1:53 PM, Justin Collins wrote:
> 
> > On 07/13/2012 01:23 PM, Konrad Merz wrote:
> > > Hey,
> > > 
> > > we use Brakeman and first of all are really happy with it.
> > > 
> > > But I got a question. Brakeman warns about sql injection in
> > > on some code where I would not have suspected it.
> > > 
> > > Afaik arel_table is considered to be sql santizied. So I got code
> > > like this:
> > > 
> > > ar_table = Posts.arel_table
> > > @posts = Post.where(ar_table[:itype].eq("SpecialPost"))
> > > 
> > > and Brakeman warns. I guess because I don't have hash as parameter
> > > for where but arel_table.
> > > 
> > > Can I ignore the warning, or do I misunderstand the concept of
> > > arel_table?
> > > 
> > > -kmerz
> > Hi,
> > 
> > Glad Brakeman is working for you.
> > 
> > I'm fairly certain you can ignore this warning, although I'm not really 
> > familiar with the Arel internals (and I didn't see much documentation).
> > 
> > Brakeman is being overly aggressive when it comes to method calls on 
> > model classes, because there are so many dynamic methods that Rails 
> > uses. There should probably be some checks to make sure it doesn't warn 
> > on methods that are known to be safe. I'll put it on my list.
> > 
> > Thanks,
> > Justin
> > 
> > 
> 
> 

-- 
Konrad Merz

genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999,  www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238

Re: [brakeman] Arel Table Sql Injectioin?

[Justin Collins]

On 07/13/2012 01:23 PM, Konrad Merz wrote:
> Hey,
>
> we use Brakeman and first of all are really happy with it.
>
> But I got a question. Brakeman warns about sql injection in
> on some code where I would not have suspected it.
>
> Afaik arel_table is considered to be sql santizied. So I got code
> like this:
>
> ar_table = Posts.arel_table
> @posts = Post.where(ar_table[:itype].eq("SpecialPost"))
>
> and Brakeman warns. I guess because I don't have hash as parameter
> for where but arel_table.
>
> Can I ignore the warning, or do I misunderstand the concept of
> arel_table?
>
> -kmerz
>
Hi,

Glad Brakeman is working for you.

I'm fairly certain you can ignore this warning, although I'm not really 
familiar with the Arel internals (and I didn't see much documentation).

Brakeman is being overly aggressive when it comes to method calls on 
model classes, because there are so many dynamic methods that Rails 
uses. There should probably be some checks to make sure it doesn't warn 
on methods that are known to be safe. I'll put it on my list.

Thanks,
Justin