hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-27 12:23:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
386dedb9df875a1bf9cff6b73205ba863daa91ca
codeql/ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb
Nick Rolfe 5a15558355 Ruby: treat an Arel.sql call as a SqlConstruction
2022-11-10 14:11:14 +00:00

8 lines
224 B
Ruby
Raw Blame History

class PotatoController < ActionController::Base
def unsafe_action
name = params[:user_name]
# BAD: SQL statement constructed from user input
sql = Arel.sql("SELECT * FROM users WHERE name = #{name}")
end
end
Reference in New Issue View Git Blame Copy Permalink