Slide 15
Slide 15 text
def run_check
# Avoid reporting `user_input` on silly values when generating warning.
# Note that we retroactively find `user_input` inside the "dangerous" value.
@safe_input_attributes
.merge IGNORE_METHODS_IN_SQL
@sql_targets = [:average, :calculate
, :count, :count_by_sql
, :delete_all
, :destroy_all
,
:find_by_sql
, :maximum, :minimum, :pluck, :sum, :update_all
]
@sql_targets
.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
@sql_targets
.concat [:find_by, :find_by!, :find_or_create_by
, :find_or_create_by!
, :find_or_initialize_by
, :not] if tracker.options[:rails4]
if tracker.options[:rails6]
@sql_targets
.concat [:delete_by
, :destroy_by
, :rewhere, :reselect]
@sql_targets
.delete :delete_all
@sql_targets
.delete :destroy_all
end
if version_between?(
"6.1.0", "9.9.9")
@sql_targets
.delete :order
@sql_targets
.delete :reorder
@sql_targets
.delete :pluck
end
Brakeman のチェックする実装を確認する (3)
https://github.com/presidentbeef/brakeman/blob/v6.2.2/lib/brakeman/checks/check_sql.rb#L21
$ rdbg -e "b Brakeman::CheckSQL#run_check" -e "open vscode" -c -- brakeman --no-threads -t SQL
改めて brakeman を rdbg で起動する