I have this piece of code in Ruby, which I believe could be a SQL injection spot
@remaining_mdls = @remaining_mdls&.where("\"#{paginated_params_name}\" > ?", paginated_params_val) if paginated_params_val.present?
This method checks for the availability of some objects, but I think it can be used for malicious purposes.
Is this safe or not?
Yes. You're interpolating paginated_params_name
.
The easiest fix would be to verify that paginated_params_name
is included in a list of known columns:
ALLOWED_PAGINATED_PARAMS = %w(created_at updated_at ...)
if paginated_params_val.present?
unless ALLOWED_PAGINATED_PARAMS.include?(paginated_params_name)
fail "Unknown pagination param '#{paginated_params_name}'"
end
@remaining_mdls = @remaining_mdls&.where("\"#{paginated_params_name}\" > ?", paginated_params_val)
end