Module: Aikido::Zen::Sinks::SQLite3
- Defined in:
- lib/aikido/zen/sinks/sqlite3.rb
Defined Under Namespace
Modules: Helpers
Constant Summary collapse
- SINK =
Sinks.add("sqlite3", scanners: [Scanners::SQLInjectionScanner])
Class Method Summary collapse
Class Method Details
.load_sinks! ⇒ Object
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/aikido/zen/sinks/sqlite3.rb', line 18 def self.load_sinks! if Aikido::Zen.satisfy "sqlite3", ">= 1.0" require "sqlite3" ::SQLite3::Database.class_eval do extend Sinks::DSL [ :execute, :execute_batch ].each do |method_name| presafe_sink_before method_name do |sql, bind_vars| Sinks::DSL.safe do Helpers.scan(sql, "database.execute") end Aikido::Zen.idor_protect(sql, :sqlite, bind_vars) end end # SQLite3::Database#exec_batch is an internal native private method. presafe_sink_before :exec_batch do |sql, *args, **kwargs| Sinks::DSL.safe do Helpers.scan(sql, "exec_batch") end Aikido::Zen.idor_protect(sql, :sqlite) end alias_method :prepare__internal_for_aikido_zen, :prepare def prepare(*args, **kwargs, &blk) sql, = args Sinks::DSL.safe do Helpers.scan(sql, "statement.execute") end unless blk result = prepare__internal_for_aikido_zen(*args, **kwargs) result.aikido_idor_sql = sql return result end prepare__internal_for_aikido_zen(*args, **kwargs) do |stmt| stmt.aikido_idor_sql = sql blk.call(stmt) end end end ::SQLite3::Statement.class_eval do extend Sinks::DSL attr_accessor :aikido_idor_sql presafe_sink_before :execute do |*bind_vars| sql = aikido_idor_sql Sinks::DSL.safe do Helpers.scan(sql, "statement.execute") end Aikido::Zen.idor_protect(sql, :sqlite, bind_vars) end end end end |