mirror of
https://github.com/github/codeql.git
synced 2026-02-28 12:53:49 +01:00
56 lines
1.6 KiB
Ruby
56 lines
1.6 KiB
Ruby
class User < ApplicationRecord
|
||
|
||
end
|
||
|
||
class UserController < ActionController::Base
|
||
def create
|
||
# BAD: arbitrary params are permitted to be used for this assignment
|
||
User.new(user_params).save!
|
||
end
|
||
|
||
def create2
|
||
# GOOD: the permitted parameters are explicitly specified
|
||
User.new(params[:user].permit(:name,:address))
|
||
end
|
||
|
||
def create3
|
||
# each BAD
|
||
User.build(user_params)
|
||
User.create(user_params)
|
||
User.create!(user_params)
|
||
User.insert(user_params)
|
||
User.insert!(user_params)
|
||
User.insert_all([user_params])
|
||
User.insert_all!([user_params])
|
||
User.update(user_params)
|
||
User.update(7, user_params)
|
||
User.update!(user_params)
|
||
User.update!(7, user_params)
|
||
User.upsert(user_params)
|
||
User.upsert([user_params])
|
||
User.find_or_create_by(user_params)
|
||
User.find_or_create_by!(user_params)
|
||
User.find_or_initialize_by(user_params)
|
||
User.create_or_find_by(user_params)
|
||
User.create_or_find_by!(user_params)
|
||
User.create_with(user_params)
|
||
|
||
user = User.where(name:"abc")
|
||
user.update(user_params)
|
||
end
|
||
|
||
def user_params
|
||
params.require(:user).permit!
|
||
end
|
||
|
||
def create4
|
||
x = params[:user]
|
||
x.permit!
|
||
User.new(x) # BAD
|
||
User.new(x.permit(:name,:address)) # GOOD
|
||
User.new(params.permit(user: {})) # BAD
|
||
User.new(params.permit(user: [:name, :address, {friends:{}}])) # BAD
|
||
User.new(params.to_unsafe_h) # BAD
|
||
User.new(params.permit(user: [:name, :address]).to_unsafe_h) # GOOD
|
||
end
|
||
end |