Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruby: add SqlConstruction concept, and implement it for calls to Arel.sql #11207

Open
wants to merge 7 commits into
base: main
Choose a base branch
from

Conversation

nickrolfe
Copy link
Contributor

@nickrolfe nickrolfe commented Nov 10, 2022

The docs for Arel.sql say:

Great caution should be taken to avoid SQL injection vulnerabilities. This method should not be used with unsafe values such as request parameters or model attributes.

This also updates rb/sql-injection to:

  1. use ...Query.qll and ...Customizations.qll files like other queries
  2. consider SqlConstructions as sinks

So reviewing the individual commits may make it a bit easier to review the new parts.

Plus a drive-by Python comment fix.

tausbn
tausbn previously approved these changes Nov 10, 2022
Copy link
Contributor

@tausbn tausbn left a comment

Drive-by Python approval. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants