Rails刹车人命令SQL注入 [英] rails brakeman order sql injection
问题描述
从参数构造订购方法时,如何避免在Rails中出现刹车警告?
How can I avoid a brakeman warning in Rails when constructing an order method from parameters?
def index
@methods = [:name, :manager, :deadline]
assignments = Assignment.order(sort_column(@methods) + " " + sort_direction).received(current_user).root
end
def sort_column(column_names)
column_names.each do |column|
return column if column == params[:sort]
end
return 'updated_at'
end
def sort_direction
params[:direction] == 'asc' ? 'asc' : 'desc'
end
我一直在努力避免将用户生成的代码直接放入查询中,但是刹车器仍然警告(中等可信度)这是一个SQL注入漏洞.
I'm working hard to avoid ever putting user-generated code directly into the query, but brakeman still alerts (medium confidence) that this is a SQL injection vulnerability.
这是假阳性吗?如果没有,我该如何纠正该漏洞?
Is this a false positive? If not, how do I correct the vulnerability?
如果是这样,有没有一种简单的方法可以避免误报?
If so, is there an easy way to avoid the false positive?
推荐答案
好的,这个评论太长了.
Okay, this is too long for a comment.
在我的测试中,将字符串构建移动到这样的方法中确实使警告消失了:
From my testing, moving the string building into a method like this does make the warning go away:
def index
@methods = [:name, :manager, :deadline]
assignments = Assignment.order(sort_order).received(current_user).root
end
def sort_order
sort_column(@methods) + " " + sort_direction
end
但是,这只是隐藏问题.我建议改为在Assignment
模型中添加这样的内容:
However, that's just hiding the problem. I would suggest adding something like this to the Assignment
model instead:
class Assignment < ActiveRecord::Base
def self.sorted_by(column, direction)
direction = direction.downcase == 'asc' ? 'asc' : 'desc'
column = sanitize_sql(column)
order("#{column} #{direction}")
end
end
请记住,有时您必须在使工具满意和保持代码合理之间做出选择.至于误报,我认为这个特殊问题没有得到解决,因为检查sort_column
并知道它是安全的并不简单.
Just keep in mind that sometimes you have to choose between keeping a tool happy and keeping your code reasonable. As for the false positive, I don't see this particular issue being resolved, since it is not simple to inspect sort_column
and know it is safe.
这篇关于Rails刹车人命令SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!