labml icon indicating copy to clipboard operation
labml copied to clipboard
verified publisher icon labmlai

I get false positives for SQL injection on none AR classes on count.

Open thijsnado opened this issue 4 years ago • 1 comments

Background

Brakeman version: 5.2.0 Rails version: 6.1.4.4 Ruby version: 2.7.5p203

Link to Rails application code: ?

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: Pipedream::Agent.count(params[:event_name], 1, :anonymous => anonymous?, :loggedIn => logged_in?)
File: app/controllers/medias_controller.rb
Line: 514

Relevant code:

Pipedream::Agent.count(event_name, 1, {anonymous: anonymous?, loggedIn: logged_in})

Why might this be a false positive?

The above code is for an analytical purposes and just logs event names with metadata. There is a chance that user input could be used to enter arbitrary data but that is of little concern to us. There are no SQL counts going on, count is probably badly named but what it does is increase the account of an event name happening.

thijsnado avatar Jan 12 '22 16:01 thijsnado

Hi @thijsnado - thank you for reporting. Looking at the Brakeman code, this shouldn't be happening... which scares me a little bit :laughing: I will take a deeper look.

presidentbeef avatar Jan 13 '22 17:01 presidentbeef