Skip to content

SQL injection check#40

Closed
LTe wants to merge 6 commits intoopenSUSE:masterfrom
LTe:sql_injection_check
Closed

SQL injection check#40
LTe wants to merge 6 commits intoopenSUSE:masterfrom
LTe:sql_injection_check

Conversation

@LTe
Copy link
Copy Markdown
Member

@LTe LTe commented Jun 12, 2012 

#low             CWE-89                  \.find[\w_]*\s*[\(]*.*params\s*\[
#low             CWE-89                  \.find[\w_]*\s*[\(]*.*conditions\s*=>
#medium          CWE-89                  \.find[\w_]*\s*[\(]*.*conditions\s*=>.*#\{.*\}
#high            CWE-89                  \.find[\w_]*\s*[\(]*.*(conditions|limit)\s*=>.*params\s*\[
#high            CWE-89                  \.find[\w_]*\s*[\(]*.*(conditions|limit)\s*=>.*session\s*\[

This check use regexp matching for method name (openSUSE/machete#6)

@LTe
Copy link
Copy Markdown
Member Author

LTe commented Jun 14, 2012

Next part of checks

info            CWE-89                  sanitize_sql
low             CWE-89                  \.execute
low             CWE-89                  \.find_by_sql
low             CWE-89                  \.paginate
high            CWE-89                  \.execute.*params\s*\[
high            CWE-89                  \.find_by_sql.*params\s*\[
high            CWE-89                  SELECT.*options\[\:select\].*
high            CWE-89                  SELECT.*params\s*\[

LTe added 3 commits June 14, 2012 16:45
@LTe
Add SQL module to checks.
6569c12 
Add checks for model class methods level.
Write specs for new checks.
@LTe
Add checks for SQL string interpolation.
a1daedf
@LTe
Update reporting
4f8653c 
impact method
@node instance variable
rspec with_issues matcher (for > 2 issues)
update specs
@LTe LTe mentioned this pull request Jun 18, 2012
Merged
@LTe LTe closed this Jun 18, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LTe