Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brakeman? #60

Merged
merged 5 commits into from
Feb 3, 2023
Merged

Brakeman? #60

merged 5 commits into from
Feb 3, 2023

Conversation

bcaller
Copy link
Contributor

@bcaller bcaller commented Jan 26, 2023
edited
Loading

Closes #55

@bcaller bcaller force-pushed the brakeman branch 4 times, most recently from 424e6cf to d7bc9e3 Compare January 26, 2023 14:44
@bcaller bcaller added the wontfix This will not be worked on label Jan 26, 2023
@bcaller bcaller force-pushed the brakeman branch 2 times, most recently from 3e12481 to dca824f Compare January 30, 2023 17:19
@bcaller bcaller force-pushed the brakeman branch 4 times, most recently from c64bb76 to 7b50ae5 Compare January 30, 2023 17:51
@brave brave deleted a comment from github-actions bot Jan 30, 2023
@bcaller
Copy link
Contributor Author

bcaller commented Jan 30, 2023

doesn't work

@bcaller bcaller force-pushed the brakeman branch 7 times, most recently from 0ce75c6 to eaa1510 Compare January 30, 2023 19:26
@brave brave deleted a comment from github-actions bot Jan 30, 2023
@brave brave deleted a comment from github-actions bot Jan 30, 2023
@bcaller bcaller added the invalid This doesn't seem right label Jan 30, 2023
@bcaller bcaller force-pushed the brakeman branch 3 times, most recently from 3b65779 to 77b3119 Compare January 30, 2023 23:59
@brave brave deleted a comment from github-actions bot Jan 30, 2023
@brave brave deleted a comment from github-actions bot Jan 30, 2023
github-actions[bot]
github-actions bot reviewed Jan 31, 2023
View reviewed changes
t3sts/brakeman/app/models/thing.rb

class Thing < ActiveRecord::Base
def inject(params)
Thing.first.where((((("username = '" + params[:user][:name]) + "' AND password = '") + params[:user][:password]) + "'"))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.

Source: https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string

Cc @brave/sec-team @thypon @bcaller

@brave brave deleted a comment from github-actions bot Jan 31, 2023
@thypon
Copy link
Member

thypon commented Jan 31, 2023

Q: Can we have brakeman running even if the project is not a having proper Gemfile.lock setup? t3sts/brakeman/Gemfile.lock

@thypon thypon removed invalid This doesn't seem right wontfix This will not be worked on labels Jan 31, 2023
@brave brave deleted a comment from github-actions bot Feb 3, 2023
github-actions[bot]
github-actions bot reviewed Feb 3, 2023
View reviewed changes
t3sts/brakeman/app/models/thing.rb

class Thing < ActiveRecord::Base
def inject(params)
Thing.first.where((((("username = '" + params[:user][:name]) + "' AND password = '") + params[:user][:password]) + "'"))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[brakeman] :Possible SQL injection

Source: https://brakemanscanner.org/docs/warning_types/sql_injection/

Cc @brave/sec-team @thypon @bcaller

github-actions[bot]
github-actions bot reviewed Feb 3, 2023
View reviewed changes
t3sts/brakeman/app/models/thing.rb

class Thing < ActiveRecord::Base
def inject(params)
Thing.first.where((((("username = '" + params[:user][:name]) + "' AND password = '") + params[:user][:password]) + "'"))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[brakeman] Possible SQL injection

Source: https://brakemanscanner.org/docs/warning_types/sql_injection/

Cc @brave/sec-team @thypon @bcaller

@bcaller
More brakeman
8c3a6f1 
No need for gemfile
@bcaller bcaller merged commit fd4b8ef into main Feb 3, 2023
@bcaller bcaller deleted the brakeman branch February 3, 2023 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@thypon thypon thypon approved these changes

Assignees

@thypon thypon

@bcaller bcaller

Labels
needs-security-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Port brakeman to reviewdog
2 participants
@bcaller @thypon