Refactor #23300
closed
Do not use string interpolation when composing SQL queries.
Added by Martin Povolny almost 7 years ago.
Updated about 3 years ago.
Description
Using string interpolation when composing SQL queries is just one step away from creating a security issue. It's against the Rails best practices to do so. Doing so actually results into Brakeman complaining loudly.
Task: replace string interpolation with use of parameterization of queries and/or AREL.
- Status changed from New to Need more information
Could you share the list of such places? Or is that based on brakeman scan only? Was it just Foreman core or also some plugins that you've scanned?
I started with Brakeman scan and `grep` and with Foreman only and did not spend much time on this yet.
I think that basic checking should be done on regular basis possibly as part of the CI and also for plugins. Brakeman can be used and/or services such as Hakiri (https://hakiri.io/).
I don't have a list of issues. Initial one can be obtained by running Brakeman.
In my opinion as a starting point all issues reported by Brakeman should be fixed or marked as false positives in the Brakeman config file (to be included with Foreman).
- Tracker changed from Bug to Refactor
- Pull request https://github.com/theforeman/foreman/pull/5367 added
- Status changed from Need more information to New
- Pull request deleted (
https://github.com/theforeman/foreman/pull/5367)
- Related to Bug #26414: Api error when querying LDAP users
added
- Related to deleted (Bug #26414: Api error when querying LDAP users
)
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/8979 added
- Fixed in Releases 3.2.0 added
- Status changed from Ready For Testing to Closed
Also available in: Atom
PDF