search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.58k stars 1.52k forks source link

False positive - Ruby on Rails: SQL query built from user-controlled sources #14546

Open kostyanf14 opened 12 months ago

kostyanf14 commented 12 months ago

Description of the false positive

Rails execute sanitize_sql_for_assignment when update_all called with an array as the argument: https://github.com/rails/rails/blob/v7.0.8/activerecord/lib/active_record/relation.rb#L476

Code samples or links to source code

https://github.com/amnis-invictus/ikt.edu.vn.ua/blob/e404674b8efd9c4ed668866787a8a2ef1b91514f/app/channels/api_channel.rb#L82 https://github.com/amnis-invictus/ikt.edu.vn.ua/blob/e404674b8efd9c4ed668866787a8a2ef1b91514f/app/channels/api_channel.rb#L85

URL to the alert on GitHub code scanning (optional)

https://github.com/amnis-invictus/ikt.edu.vn.ua/security/code-scanning/307 https://github.com/amnis-invictus/ikt.edu.vn.ua/security/code-scanning/308

jketema commented 12 months ago

Hi @kostyanf14,

Thanks for your report. I've asked the Ruby engineering team to take a look.

jketema commented 11 months ago

Hi @kostyanf14,

The engineering team agrees this is false positive, and they've opened an internal issue to track this. Thanks for the report!