[brakeman] Unescaped parameter value (False Positive?) when using find with parameterized queries

Ronie Henrich Fri, 13 Mar 2015 16:56:45 -0700

Brakeman is reporting Unescaped parameter value when using find with 
parameterized queries (? or named placeholders).


     Country.find(:all, :conditions => [ "LOWER(name) = ?", 
params[:name].mb_chars.downcase ])

     params[:name] = "Robert"
     Generated SQL:
         SELECT * FROM countries WHERE (LOWER(name) = 'robert');

     params[:name] = "Robert');DELETE * FROM countries;"
     Generated SQL:
         SELECT * FROM countries WHERE (LOWER(name) = 'robert'');DELETE * FROM 
countries;');


As ActiveRecord sanitizes the parameters in a parameterized query, is there any 
harm that could still be done with params being unescaped on the find above or 
is it a False Positive?

Thanks!
Ronie

[brakeman] Unescaped parameter value (False Positive?) when using find with parameterized queries

Reply via email to