weird case with ternary operator

guillaumeaubert / Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection

PerlCritic policy that attempts to detect the most common sources of SQL injection in manually crafted SQL statements, by detecting the use of variables inside interpolated strings that look like SQL statements.

https://metacpan.org/pod/Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

Other

6 stars 8 forks source link

weird case with ternary operator #12

Closed vsespb closed 10 years ago

vsespb commented 10 years ago

my $a = 1;
my $x = $a ? 'update' : $b;

SQL injection risk at line 2, column 14.  Variables in interpolated SQL string are susceptible to SQL injection: $b.  (Severity: 5)

well, it's false positive for as, as we have "update" as internal ID of some our internal stuff. however, I am not sure, maybe this can be treated as SQL injection in other cases.

guillaumeaubert commented 10 years ago

Hi Victor,

Thank you for the bug report! It is a bug in the token handler, which failed to recognize the boundary between the true case and the false case in the ternary conditional operator.

I added several test cases based on yours, and this code now passes:

my $a = 1;
my $x = $a ? 'update' : $b;

But this code is still correctly detected as having a SQL injection vulnerability:

$test
    ? 'update' . ' ' . $table
    : $var;

I merged the code into master already, and I will plan a release shortly.

vsespb commented 10 years ago

Thank you !

guillaumeaubert commented 10 years ago

Added milestone v1.3.0, for release this week.