Ignore more Arel calls

Fixes #604

Ignore more Arel calls
Fixes #604
53bbaf85 · Justin Collins · e626fdc3 · 53bbaf85 · 53bbaf85 · 53bbaf85
Showing with 46 addition and 1 deletion

lib/brakeman/checks/check_sql.rb lib/brakeman/checks/check_sql.rb +8 -1

test/apps/rails4/app/models/user.rb test/apps/rails4/app/models/user.rb +9 -0

test/tests/rails4.rb test/tests/rails4.rb +29 -0

未找到文件。
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -551,7 +551,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
    :sanitize_sql_for_conditions, :sanitize_sql_hash,
    :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql, :sanitize, :exists, :primary_key, :table_name_prefix, :table_name_suffix]
+    :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix]

  def safe_value? exp
    return true unless sexp? exp
@@ -565,6 +565,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
      else
        IGNORE_METHODS_IN_SQL.include? exp.method or
        quote_call? exp or
+        arel? exp or
        exp.method.to_s.end_with? "_id"
      end
    when :if
@@ -588,6 +589,12 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    end
  end

+  AREL_METHODS = [:not, :and, :or, :exists, :join_sources, :arel_table, :gt, :lt, :on, :eq, :eq_any, :where]
+
+  def arel? exp
+    call? exp and (AREL_METHODS.include? exp.method or arel? exp.target)
+  end
+
  #Check call for string building
  def check_call exp
    return unless call? exp

--- a/test/apps/rails4/app/models/user.rb
+++ b/test/apps/rails4/app/models/user.rb
@@ -23,4 +23,13 @@ class User < ActiveRecord::Base
               end
    order(ordering) # should not warn about `asc` interpolation
  }
+
+  def much_arel # None of these should warn
+    group_recipient = User.joins(:group).where(User.arel_table[:message_id].eq Email.arel_table[:id])
+    group_with_special_property = group_recipient.where(:groups => { :private => false, :special_property => true })
+    Email.where(group_recipient.exists.not.or(group_with_special_property.exists))
+
+    User.select('users.id').joins(User.joins(:deal_purchases).join_sources).where(Email.arel_table[:created_at].gt(last_activity)).group('users.id')
+    User.where(User.joins(:group).where(User.arel_table[:message_id].eq arel_table[:id]))
+  end
 end
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -643,6 +643,35 @@ class Rails4Tests < Test::Unit::TestCase
      :user_input => s(:lvar, :locale)
  end

+ def test_no_sql_injection_from_arel_methods
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "61d957cdeca70a82f53d7ec72287fc21f67c67c6e8dbc9c3c4cb2d115f3a5602",
+      :warning_type => "SQL Injection",
+      :line => 30,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/models/user.rb"
+
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "46a08db9c5b2739027a34c37cbb79c0813247e5bba856705a56174173e230f4b",
+      :warning_type => "SQL Injection",
+      :line => 32,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/models/user.rb"
+
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "64233e939bcef59cf6100c75cfefaf2968734305d4431622556e2f612b10a912",
+      :warning_type => "SQL Injection",
+      :line => 33,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/models/user.rb"
+  end
+ 
  def test_format_validation_model_alias_processing
    assert_warning :type => :model,
      :warning_code => 30,