mirror of
https://github.com/github/codeql.git
synced 2026-04-28 10:15:14 +02:00
Merge pull request #12493 from hmac/ar-sinks
This commit is contained in:
Harry Maclean
6
ruby/ql/lib/change-notes/2023-03-13-rails-sinks.md
Normal file
6
ruby/ql/lib/change-notes/2023-03-13-rails-sinks.md
Normal file
@@ -0,0 +1,6 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The Active Record query methods `reorder` and `count_by_sql` are now recognised as SQL executions.
|
||||
* Calls to `ActiveRecord::Connection#execute`, including those via subclasses, are now recognised as SQL executions.
|
||||
* Data flow through `ActionController::Parameters#require` is now tracked properly.
|
||||
@@ -632,9 +632,9 @@ private module ParamsSummaries {
|
||||
// dig doesn't always return a Parameters instance, but it will if the
|
||||
// given key refers to a nested hash parameter.
|
||||
"dig", "each", "each_key", "each_pair", "each_value", "except", "keep_if", "merge",
|
||||
"merge!", "permit", "reject", "reject!", "reverse_merge", "reverse_merge!", "select",
|
||||
"select!", "slice", "slice!", "transform_keys", "transform_keys!", "transform_values",
|
||||
"transform_values!", "with_defaults", "with_defaults!"
|
||||
"merge!", "permit", "reject", "reject!", "require", "reverse_merge", "reverse_merge!",
|
||||
"select", "select!", "slice", "slice!", "transform_keys", "transform_keys!",
|
||||
"transform_values", "transform_values!", "with_defaults", "with_defaults!"
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
@@ -31,6 +31,18 @@ private predicate isBuiltInMethodForActiveRecordModelInstance(string methodName)
|
||||
methodName = objectInstanceMethodName()
|
||||
}
|
||||
|
||||
private API::Node activeRecordClassApiNode() {
|
||||
result =
|
||||
// class Foo < ActiveRecord::Base
|
||||
// class Bar < Foo
|
||||
[
|
||||
API::getTopLevelMember("ActiveRecord").getMember("Base"),
|
||||
// In Rails applications `ApplicationRecord` typically extends `ActiveRecord::Base`, but we
|
||||
// treat it separately in case the `ApplicationRecord` definition is not in the database.
|
||||
API::getTopLevelMember("ApplicationRecord")
|
||||
].getASubclass()
|
||||
}
|
||||
|
||||
/**
|
||||
* A `ClassDeclaration` for a class that inherits from `ActiveRecord::Base`. For example,
|
||||
*
|
||||
@@ -45,15 +57,8 @@ private predicate isBuiltInMethodForActiveRecordModelInstance(string methodName)
|
||||
*/
|
||||
class ActiveRecordModelClass extends ClassDeclaration {
|
||||
ActiveRecordModelClass() {
|
||||
// class Foo < ActiveRecord::Base
|
||||
// class Bar < Foo
|
||||
this.getSuperclassExpr() =
|
||||
[
|
||||
API::getTopLevelMember("ActiveRecord").getMember("Base"),
|
||||
// In Rails applications `ApplicationRecord` typically extends `ActiveRecord::Base`, but we
|
||||
// treat it separately in case the `ApplicationRecord` definition is not in the database.
|
||||
API::getTopLevelMember("ApplicationRecord")
|
||||
].getASubclass().getAValueReachableFromSource().asExpr().getExpr()
|
||||
activeRecordClassApiNode().getAValueReachableFromSource().asExpr().getExpr()
|
||||
}
|
||||
|
||||
// Gets the class declaration for this class and all of its super classes
|
||||
@@ -116,14 +121,14 @@ private Expr sqlFragmentArgument(MethodCall call) {
|
||||
[
|
||||
"delete_all", "delete_by", "destroy_all", "destroy_by", "exists?", "find_by", "find_by!",
|
||||
"find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "from",
|
||||
"group", "having", "joins", "lock", "not", "order", "pluck", "where", "rewhere", "select",
|
||||
"reselect", "update_all"
|
||||
"group", "having", "joins", "lock", "not", "order", "reorder", "pluck", "where",
|
||||
"rewhere", "select", "reselect", "update_all"
|
||||
] and
|
||||
result = call.getArgument(0)
|
||||
or
|
||||
methodName = "calculate" and result = call.getArgument(1)
|
||||
or
|
||||
methodName in ["average", "count", "maximum", "minimum", "sum"] and
|
||||
methodName in ["average", "count", "maximum", "minimum", "sum", "count_by_sql"] and
|
||||
result = call.getArgument(0)
|
||||
or
|
||||
// This format was supported until Rails 2.3.8
|
||||
@@ -208,11 +213,18 @@ class ActiveRecordSqlExecutionRange extends SqlExecution::Range {
|
||||
exists(PotentiallyUnsafeSqlExecutingMethodCall mc |
|
||||
this.asExpr().getNode() = mc.getSqlFragmentSinkArgument()
|
||||
)
|
||||
or
|
||||
this = activeRecordConnectionInstance().getAMethodCall("execute").getArgument(0) and
|
||||
unsafeSqlExpr(this.asExpr().getExpr())
|
||||
}
|
||||
|
||||
override DataFlow::Node getSql() { result = this }
|
||||
}
|
||||
|
||||
private API::Node activeRecordConnectionInstance() {
|
||||
result = activeRecordClassApiNode().getReturn("connection")
|
||||
}
|
||||
|
||||
// TODO: model `ActiveRecord` sanitizers
|
||||
// https://api.rubyonrails.org/classes/ActiveRecord/Sanitization/ClassMethods.html
|
||||
/**
|
||||
|
||||
@@ -90,6 +90,10 @@ class FooController < ActionController::Base
|
||||
# BAD: executes `UPDATE "users" SET #{params[:fields]}`
|
||||
# where `params[:fields]` is unsanitized
|
||||
User.update_all(params[:fields])
|
||||
|
||||
User.reorder(params[:direction])
|
||||
|
||||
User.count_by_sql(params[:custom_sql_query])
|
||||
end
|
||||
end
|
||||
|
||||
@@ -151,3 +155,26 @@ class AnnotatedController < ActionController::Base
|
||||
users = User.annotate("this is an unsafe annotation:#{params[:comment]}").find_by(user_name: name)
|
||||
end
|
||||
end
|
||||
|
||||
# A regression test
|
||||
|
||||
class Regression < ActiveRecord::Base
|
||||
end
|
||||
|
||||
class RegressionController < ActionController::Base
|
||||
def index
|
||||
my_params = permitted_params
|
||||
query = "SELECT * FROM users WHERE id = #{my_params[:user_id]}"
|
||||
result = Regression.find_by_sql(query)
|
||||
end
|
||||
|
||||
|
||||
def permitted_params
|
||||
params.require(:my_key).permit(:id, :user_id, :my_type)
|
||||
end
|
||||
|
||||
def show
|
||||
ActiveRecord::Base.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
|
||||
Regression.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
|
||||
end
|
||||
end
|
||||
@@ -26,13 +26,27 @@ edges
|
||||
| ActiveRecordInjection.rb:84:19:84:24 | call to params : | ActiveRecordInjection.rb:84:19:84:33 | ...[...] |
|
||||
| ActiveRecordInjection.rb:88:18:88:23 | call to params : | ActiveRecordInjection.rb:88:18:88:35 | ...[...] |
|
||||
| ActiveRecordInjection.rb:92:21:92:26 | call to params : | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
|
||||
| ActiveRecordInjection.rb:98:10:98:15 | call to params : | ActiveRecordInjection.rb:99:11:99:12 | ps : |
|
||||
| ActiveRecordInjection.rb:99:11:99:12 | ps : | ActiveRecordInjection.rb:99:11:99:17 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:99:11:99:17 | ...[...] : | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
|
||||
| ActiveRecordInjection.rb:137:21:137:26 | call to params : | ActiveRecordInjection.rb:137:21:137:44 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:137:21:137:44 | ...[...] : | ActiveRecordInjection.rb:20:22:20:30 | condition : |
|
||||
| ActiveRecordInjection.rb:151:59:151:64 | call to params : | ActiveRecordInjection.rb:151:59:151:74 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:151:59:151:74 | ...[...] : | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." |
|
||||
| ActiveRecordInjection.rb:94:18:94:23 | call to params : | ActiveRecordInjection.rb:94:18:94:35 | ...[...] |
|
||||
| ActiveRecordInjection.rb:96:23:96:28 | call to params : | ActiveRecordInjection.rb:96:23:96:47 | ...[...] |
|
||||
| ActiveRecordInjection.rb:102:10:102:15 | call to params : | ActiveRecordInjection.rb:103:11:103:12 | ps : |
|
||||
| ActiveRecordInjection.rb:103:11:103:12 | ps : | ActiveRecordInjection.rb:103:11:103:17 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] : | ActiveRecordInjection.rb:108:20:108:32 | ... + ... |
|
||||
| ActiveRecordInjection.rb:141:21:141:26 | call to params : | ActiveRecordInjection.rb:141:21:141:44 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] : | ActiveRecordInjection.rb:20:22:20:30 | condition : |
|
||||
| ActiveRecordInjection.rb:155:59:155:64 | call to params : | ActiveRecordInjection.rb:155:59:155:74 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:155:59:155:74 | ...[...] : | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." |
|
||||
| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params : | ActiveRecordInjection.rb:167:47:167:55 | my_params : |
|
||||
| ActiveRecordInjection.rb:167:47:167:55 | my_params : | ActiveRecordInjection.rb:167:47:167:65 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:167:47:167:65 | ...[...] : | ActiveRecordInjection.rb:168:37:168:41 | query |
|
||||
| ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:173:5:173:27 | call to require : |
|
||||
| ActiveRecordInjection.rb:173:5:173:27 | call to require : | ActiveRecordInjection.rb:173:5:173:59 | call to permit : |
|
||||
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params : |
|
||||
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params : |
|
||||
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params : |
|
||||
| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params : | ActiveRecordInjection.rb:177:77:177:102 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:177:77:177:102 | ...[...] : | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." |
|
||||
| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params : | ActiveRecordInjection.rb:178:69:178:94 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:178:69:178:94 | ...[...] : | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." |
|
||||
| ArelInjection.rb:4:12:4:17 | call to params : | ArelInjection.rb:4:12:4:29 | ...[...] : |
|
||||
| ArelInjection.rb:4:12:4:29 | ...[...] : | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." |
|
||||
nodes
|
||||
@@ -78,15 +92,32 @@ nodes
|
||||
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:92:21:92:26 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:98:10:98:15 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:99:11:99:12 | ps : | semmle.label | ps : |
|
||||
| ActiveRecordInjection.rb:99:11:99:17 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:104:20:104:32 | ... + ... | semmle.label | ... + ... |
|
||||
| ActiveRecordInjection.rb:137:21:137:26 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:137:21:137:44 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
|
||||
| ActiveRecordInjection.rb:151:59:151:64 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:151:59:151:74 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:94:18:94:23 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:96:23:96:28 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:102:10:102:15 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:103:11:103:12 | ps : | semmle.label | ps : |
|
||||
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | semmle.label | ... + ... |
|
||||
| ActiveRecordInjection.rb:141:21:141:26 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
|
||||
| ActiveRecordInjection.rb:155:59:155:64 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:155:59:155:74 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params : | semmle.label | call to permitted_params : |
|
||||
| ActiveRecordInjection.rb:167:47:167:55 | my_params : | semmle.label | my_params : |
|
||||
| ActiveRecordInjection.rb:167:47:167:65 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:168:37:168:41 | query | semmle.label | query |
|
||||
| ActiveRecordInjection.rb:173:5:173:10 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:173:5:173:27 | call to require : | semmle.label | call to require : |
|
||||
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | semmle.label | call to permit : |
|
||||
| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
|
||||
| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params : | semmle.label | call to permitted_params : |
|
||||
| ActiveRecordInjection.rb:177:77:177:102 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
|
||||
| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params : | semmle.label | call to permitted_params : |
|
||||
| ActiveRecordInjection.rb:178:69:178:94 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ArelInjection.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
|
||||
| ArelInjection.rb:4:12:4:29 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
|
||||
@@ -94,7 +125,7 @@ subpaths
|
||||
#select
|
||||
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:137:21:137:26 | call to params : | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:137:21:137:26 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:141:21:141:26 | call to params : | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:141:21:141:26 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params : | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params : | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params : | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
|
||||
@@ -108,6 +139,11 @@ subpaths
|
||||
| ActiveRecordInjection.rb:84:19:84:33 | ...[...] | ActiveRecordInjection.rb:84:19:84:24 | call to params : | ActiveRecordInjection.rb:84:19:84:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:84:19:84:24 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | ActiveRecordInjection.rb:88:18:88:23 | call to params : | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:88:18:88:23 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | ActiveRecordInjection.rb:92:21:92:26 | call to params : | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:92:21:92:26 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:104:20:104:32 | ... + ... | ActiveRecordInjection.rb:98:10:98:15 | call to params : | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:98:10:98:15 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:151:59:151:64 | call to params : | ActiveRecordInjection.rb:151:27:151:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:151:59:151:64 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | ActiveRecordInjection.rb:94:18:94:23 | call to params : | ActiveRecordInjection.rb:94:18:94:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:94:18:94:23 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | ActiveRecordInjection.rb:96:23:96:28 | call to params : | ActiveRecordInjection.rb:96:23:96:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:96:23:96:28 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | ActiveRecordInjection.rb:102:10:102:15 | call to params : | ActiveRecordInjection.rb:108:20:108:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:102:10:102:15 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:155:59:155:64 | call to params : | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:155:59:155:64 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:168:37:168:41 | query | ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:168:37:168:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
|
||||
| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
|
||||
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params : | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
|
||||
|
||||
Reference in New Issue
Block a user