Skip to content

Instantly share code, notes, and snippets.

@jordimassaguerpla
Last active August 29, 2015 14:01
Show Gist options
  • Save jordimassaguerpla/afc020bbb3f015dccaff to your computer and use it in GitHub Desktop.
Save jordimassaguerpla/afc020bbb3f015dccaff to your computer and use it in GitHub Desktop.
unsafe_query_risk_check_1
# this checks for "unsafe query risks in active record" by reading your
# db/schema.rb file, according to
# https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk
class MockTable
@@tables = {}
def self.tables
@@tables
end
def initialize(name)
@@tables[name] = []
@name = name
end
def method_missing(m, *args, &block)
@@tables[@name] << args[0]
end
def columns
@@tables[@name]
end
end
module ActiveRecord
class ActiveRecord::Schema
def self.define(_)
if block_given?
yield
else
puts "Hei! I was expecting a block when calling ActiveRecord::Schema.define"
end
end
end
end
def create_table(name, _)
if block_given?
m = MockTable.new(name)
yield m
else
puts "Hei! I was expecting a block when calling ActiveRecord::Schema.define"
end
end
def add_index(_, _, _)
# ignoring add_index
end
def execute(_)
# ignoring execute call
end
def check_possible_join_aliases
MockTable.tables.each do |table, columns|
columns.each do |column|
if column == table
puts "************ Oh no! Column *#{column}* matches table name #{column}. That means you are vulnerable to *Unsafe Query Risk in Active Record* (table name matches column name)*****************************"
puts "see https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk"
elsif MockTable.tables.keys.include?(column)
puts "************ Oh no! Column *#{table}:#{column}* matches table name #{column}. That means you may be vulnerable to *Unsafe Query Risk in Active Record* (possible join aliases will match column name)*****************************"
puts "see https://groups.google.com/forum/#!topic/rubyonrails-security/8CVoclw-Xkk"
end
end
end
end
eval(open("db/schema.rb").read())
check_possible_join_aliases
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment