def process_result result
return if duplicate?(result) or result[:call].original_line
call = result[:call]
method = call.method
dangerous_value = case method
when :find
check_find_arguments call.second_arg
when :exists?
check_exists call.first_arg
when :delete_all, :destroy_all
check_find_arguments call.first_arg
when :named_scope, :scope
check_scope_arguments call
when :find_by_sql, :count_by_sql
check_by_sql_arguments call.first_arg
when :calculate
check_find_arguments call.third_arg
when :last, :first, :all
check_find_arguments call.first_arg
when :average, :count, :maximum, :minimum, :sum
if call.length > 5
unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
else
check_find_arguments call.last_arg
end
when :where, :having, :find_by, :find_by!, :not
check_query_arguments call.arglist
when :order, :group, :reorder
check_order_arguments call.arglist
when :joins
check_joins_arguments call.first_arg
when :from
unsafe_sql? call.first_arg
when :lock
check_lock_arguments call.first_arg
when :pluck
unsafe_sql? call.first_arg
when :sql
unsafe_sql? call.first_arg
when :update_all, :select
check_update_all_arguments call.args
when *@connection_calls
check_by_sql_arguments call.first_arg
else
Brakeman.debug "Unhandled SQL method: #{method}"
end
if dangerous_value
add_result result
input = include_user_input? dangerous_value
if input
confidence = :high
user_input = input
else
confidence = :medium
user_input = dangerous_value
end
if result[:call].target and result[:chain] and not @expected_targets.include? result[:chain].first
confidence = case confidence
when :high
:medium
when :medium
:weak
else
confidence
end
end
warn :result => result,
:warning_type => "SQL Injection",
:warning_code => :sql_injection,
:message => "Possible SQL injection",
:user_input => user_input,
:confidence => confidence
end
if check_for_limit_or_offset_vulnerability call.last_arg
if include_user_input? call.last_arg
confidence = :high
else
confidence = :weak
end
warn :result => result,
:warning_type => "SQL Injection",
:warning_code => :sql_injection_limit_offset,
:message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
:confidence => confidence
end
end