Packages
sobelow
0.14.0
0.14.1
0.14.0
0.13.0
0.12.2
0.12.1
0.12.0
0.11.1
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.0
0.7.8
0.7.7
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.4
0.5.3
0.5.2
0.5.1
0.5.0
0.4.9
0.4.8
0.4.7
0.4.6
0.4.5
0.4.4
0.4.3
0.4.2
0.4.1
0.4.0
0.3.12
0.3.11
0.3.10
0.3.9
0.3.8
0.3.7
0.3.6
0.3.5
0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.8
0.2.7
0.2.6
0.2.5
0.2.4
0.2.3
Security-focused static analysis for Elixir & the Phoenix framework
Current section
Files
Jump to
Current section
Files
lib/sobelow/sql/query.ex
defmodule Sobelow.SQL.Query do
@moduledoc """
# SQL Injection in Query
This submodule of the `SQL` module checks for SQL injection
vulnerabilities through usage of the `Ecto.Adapters.SQL.query`
and `Ecto.Adapters.SQL.query!`.
Ensure that the query is parameterized and not user-controlled.
SQLi Query checks can be ignored with the following command:
$ mix sobelow -i SQL.Query
"""
@uid 17
@finding_type "SQL.Query: SQL injection"
@query_funcs [:query, :query!]
use Sobelow.Finding
def run(fun, meta_file) do
confidence = if !meta_file.controller?, do: :low
Enum.each(@query_funcs, fn query_func ->
Finding.init(@finding_type, meta_file.filename, confidence)
|> Finding.multi_from_def(fun, parse_sql_def(fun, query_func))
|> Enum.each(&Print.add_finding(&1))
end)
Enum.each(@query_funcs, fn query_func ->
Finding.init(@finding_type, meta_file.filename, confidence)
|> Finding.multi_from_def(fun, parse_repo_query_def(fun, query_func))
|> Enum.each(&Print.add_finding(&1))
end)
end
## query(repo, sql, params \\ [], opts \\ [])
def parse_sql_def(fun, type) do
Parse.get_fun_vars_and_meta(fun, 1, type, :SQL)
end
def parse_repo_query_def(fun, type) do
Parse.get_fun_vars_and_meta(fun, 0, type, :Repo)
end
end