Refactor #23300: Do not use string interpolation when composing SQL queries. - Foreman

Custom queries

3.10.0 release DONE
3.10.0 release TODO
3.11.0 release DONE
3.11.0 release TODO
3.8.1 release DONE
3.8.1 release TODO
3.9.2 release DONE
3.9.2 release TODO
All bugs by votes
All issues closed in the last 3 weeks
Easy and Trivial Issues
Easy Issues (only)
Foreman - new open issues in last 10 days
Good first issues - Foreman core
high prio open bugs
Host registration [open]
Mine
My issues closed in the last 3 weeks
old bugs
Open with target version set (aka blockers)
registration
taken-none
Team Atlas untriaged bugs
templates
Trivial Issues
Untriaged and opened in the past two weeks

Actions

Copy link

Refactor #23300

closed

Do not use string interpolation when composing SQL queries.

Added by Martin Povolny about 6 years ago. Updated over 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Rails

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman/pull/8979

Fixed in Releases:

3.2.0

Found in Releases:

Red Hat JIRA:

Description

Using string interpolation when composing SQL queries is just one step away from creating a security issue. It's against the Rails best practices to do so. Doing so actually results into Brakeman complaining loudly.

Task: replace string interpolation with use of parameterization of queries and/or AREL.

Related issues 5 (0 open — 5 closed)

Related to Foreman - Tracker #21834: Rails 5.2 upgrade tasks

Closed

Actions

Related to Foreman - Refactor #23234: remove friendly_id <5.0 workarounds

Closed

Tomer Brisker

Actions

Related to Foreman - Tracker #24837: Rails 6.0 Tracker

Closed

Actions

Related to Foreman - Refactor #29520: Wrap sql in Arel.sql() where needed

Closed

Actions

Blocks Foreman - Tracker #28570: Rails 6.1 Tracker

Closed

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Marek Hulán about 6 years ago

Status changed from New to Need more information

Could you share the list of such places? Or is that based on brakeman scan only? Was it just Foreman core or also some plugins that you've scanned?

Actions

Copy link

Updated by Anonymous about 6 years ago

Brakeman is there: http://ci.theforeman.org/job/test_brakeman (although that's going to be deleted soon). The Rails 5.2 warnings can be seen in the new deprecations in https://github.com/theforeman/foreman/pull/5428

Actions

Copy link

Updated by Martin Povolny about 6 years ago

I started with Brakeman scan and `grep` and with Foreman only and did not spend much time on this yet.

I think that basic checking should be done on regular basis possibly as part of the CI and also for plugins. Brakeman can be used and/or services such as Hakiri (https://hakiri.io/).

I don't have a list of issues. Initial one can be obtained by running Brakeman.

In my opinion as a starting point all issues reported by Brakeman should be fixed or marked as false positives in the Brakeman config file (to be included with Foreman).

Actions

Copy link