Current section

Files

Jump to
sobelow lib sobelow sql.ex
Raw

lib/sobelow/sql.ex

defmodule Sobelow.SQL do
@moduledoc """
# SQL Injection
SQL injection occurs when untrusted input is interpolated
directly into a SQL query. In a typical Phoenix application,
this would mean using the `Ecto.Adapters.SQL.query` method
and not using the parameterization feature.
Read more about SQL injection here:
https://www.owasp.org/index.php/SQL_Injection
SQL injection checks can be ignored with the following command:
$ mix sobelow -i SQL
"""
@submodules [Sobelow.SQL.Query, Sobelow.SQL.Stream]
use Sobelow.Finding
def get_vulns(fun, filename, _web_root, skip_mods \\ []) do
path = Path.expand(filename, "")
|> String.replace_prefix("/", "")
allowed = @submodules -- (Sobelow.get_ignored() ++ skip_mods)
Enum.each allowed, fn mod ->
apply(mod, :run, [fun, path])
end
end
end