Files
codeql/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb
2026-06-15 23:03:46 +01:00

10 lines
338 B
Ruby

class PotatoController < ActionController::Base
def unsafe_action
name = params[:user_name] # $ Source
# BAD: SQL statement constructed from user input
sql = Arel.sql("SELECT * FROM users WHERE name = #{name}") # $ Alert
sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}") # $ Alert
end
end