Closed kreintjes closed 2 years ago
Note: the correct way to fix this potential SQL injection vulnerability is probably to wrap each column in ApplicationRecord.connection.quote_column_name
. So for example: Country.where(code: codes).order(ApplicationRecord.connection.quote_column_name("name_#{I18n.locale.to_s.split("-").first}"))
. This works and Brakeman views this as secure (although I wrongfully thought it didn't at first). However it still feels a bit cumbersome to do this for every occurrence when there isn't an actual vulnerability.
We should just ignore I18n.locale
in SQL. 👍
Background
Brakeman version: 5.0.1 Rails version: 6.0.3.7 Ruby version: 2.7.3
Link to Rails application code: not to be disclosed
False Positive
Full warning from Brakeman:
Relevant code:
Why might this be a false positive?
Brakeman warns about a potential SQL injection vulnerability, although this could not be the case since Rails checks the input passed to
I18n.locale =
if it matches one of the I18n.available_locales. If you pass some untrusted input, likeI18n.locale = "thisisn'tsafe"
, then you get an error:I18n::InvalidLocale: "thisisn'tsafe" is not a valid locale
. So this cannot be an actual SQL injection.I can't seem to fix or remove this false positive. I tried adding method sanitized_locale which checks the I18n.locale to a whitelist (in the same file), but Brakeman still sees this as a vulnerability. I tried adding sanitized_locale to the
--safe-methods
option, but this doesn't work either (it appears these methods are only used for the XSS scan). It seems there are only two ways of removing this false positive now:ApplicationRecord.sanitize_sql(...)
(so for example:Country.where(code: codes).order("name_#{ApplicationRecord.sanitize_sql(I18n.locale.to_s.split("-").first)}"
). Feels a bit cumbersome as well, leading to long lines (of which then Rubocop complains :p). It also doesn't actually fix the SQL vulnerability if there were actually one.Anyone has any suggestions for a nice and preferably application-wide fix (or ignore method)?