You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Confidence: High
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: MyModel.where(params.permit(:foo, :bar).slice(:foo, :bar).compact_blank)
Relevant code:
MyModel.where(params.permit(:foo,:bar).slice(:foo,:bar))# no warningMyModel.where(params.permit(:foo,:bar).slice(:foo,:bar).compact_blank)# warning
The compact_blank method returns a new ActionController::Parameters object, but that new object retains the permitted status from our earlier call to permit. There is a list of permitted method calls defined here but compact_blank is not listed there. It probably shouldn't be, because compact_blank on its own does not make the call safe, but being chained after permit ought to.
Is there a way to mark methods that are chained after permit as safe?
The text was updated successfully, but these errors were encountered:
Background
Brakeman version: 6.2.2
Rails version: 8.0.0
Ruby version: 3.3.5
False Positive
Full warning from Brakeman:
Relevant code:
The
compact_blankmethod returns a newActionController::Parametersobject, but that new object retains thepermittedstatus from our earlier call topermit. There is a list of permitted method calls defined here butcompact_blankis not listed there. It probably shouldn't be, becausecompact_blankon its own does not make the call safe, but being chained afterpermitought to.Is there a way to mark methods that are chained after
permitas safe?The text was updated successfully, but these errors were encountered: