jordimassaguerpla/unsafe_query_risk_check_1.rb

## unsafe_query_risk_check_1.rb
# this checks for "unsafe query risks in active record" by reading your
# db/schema.rb file, according to
# https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk

class MockTable
  @@tables = {}

  def self.tables
    @@tables
  end

  def initialize(name)
    @@tables[name] = []
    @name = name
  end

  def method_missing(m, *args, &block)
    @@tables[@name] << args[0]
  end

  def columns
    @@tables[@name]
  end
end

module ActiveRecord
  class ActiveRecord::Schema
    def self.define(_)
      if block_given?
        yield
      else
        puts "Hei! I was expecting a block when calling ActiveRecord::Schema.define"
      end
    end
  end
end

def create_table(name, _)
  if block_given?
    m = MockTable.new(name)
    yield m
  else
    puts "Hei! I was expecting a block when calling ActiveRecord::Schema.define"
  end
end

def add_index(_, _, _)
  # ignoring add_index
end


def execute(_)
  # ignoring execute call
end


def check_possible_join_aliases
  MockTable.tables.each do |table, columns|
    columns.each do |column|
      if column == table
        puts "************ Oh no! Column *#{column}* matches table name #{column}. That means you are vulnerable to *Unsafe Query Risk in Active Record* (table name matches column name)*****************************"
        puts "see https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk"
      elsif MockTable.tables.keys.include?(column)
        puts "************ Oh no! Column *#{table}:#{column}* matches table name #{column}. That means you may be vulnerable to *Unsafe Query Risk in Active Record* (possible join aliases will match column name)*****************************"
        puts "see https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk"
      end
    end
  end
end

eval(open("db/schema.rb").read())

check_possible_join_aliases
	# this checks for "unsafe query risks in active record" by reading your
	# db/schema.rb file, according to
	# https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk

	class MockTable
	@@tables = {}

	def self.tables
	@@tables
	end

	def initialize(name)
	@@tables[name] = []
	@name = name
	end

	def method_missing(m, *args, &block)
	@@tables[@name] << args[0]
	end

	def columns
	@@tables[@name]
	end
	end

	module ActiveRecord
	class ActiveRecord::Schema
	def self.define(_)
	if block_given?
	yield
	else
	puts "Hei! I was expecting a block when calling ActiveRecord::Schema.define"
	end
	end
	end
	end

	def create_table(name, _)
	if block_given?
	m = MockTable.new(name)
	yield m
	else
	puts "Hei! I was expecting a block when calling ActiveRecord::Schema.define"
	end
	end

	def add_index(_, _, _)
	# ignoring add_index
	end


	def execute(_)
	# ignoring execute call
	end


	def check_possible_join_aliases
	MockTable.tables.each do \|table, columns\|
	columns.each do \|column\|
	if column == table
	puts "************ Oh no! Column #{column} matches table name #{column}. That means you are vulnerable to Unsafe Query Risk in Active Record (table name matches column name)*****************************"
	puts "see https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk"
	elsif MockTable.tables.keys.include?(column)
	puts "************ Oh no! Column #{table}:#{column} matches table name #{column}. That means you may be vulnerable to Unsafe Query Risk in Active Record (possible join aliases will match column name)*****************************"
	puts "see https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk"
	end
	end
	end
	end

	eval(open("db/schema.rb").read())

	check_possible_join_aliases