Skip to content

Prevent false positives #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Prevent false positives #23

wants to merge 2 commits into from

Conversation

nferraz
Copy link

@nferraz nferraz commented Sep 20, 2019

This pull request will prevent false positives in contexts that cannot generate SQL injections, for instance:

die     "Select returned: $error";
warn    "Update returned: $error";
croak   "Insert returned: $error";
carp    "Delete returned: $error";
confess "Select returned: $error";

It will always look at the previous significant sibling, so it will also prevent false positives like:

do_something() or die     "Select returned: $error";
do_something() or warn    "Update returned: $error";
do_something() or croak   "Insert returned: $error";
do_something() or carp    "Delete returned: $error";
do_something() or confess "Select returned: $error";

@nelson-ferraz
Add test cases
f88be82
@nelson-ferraz
Implement safe_context
7d6b813 
A space-separated string listing the functions that are not subject to
SQL injections.

Default functions are:

- die
- warn
- croak
- carp
- confess

Other good candidates are logging functions like:

- TRACE
- DEBUG
- INFO
- WARN
- ERROR
- FATAL
@coveralls
Copy link

Coverage Status

Coverage decreased (-0.4%) to 96.622% when pulling 7d6b813 on nferraz:nferraz/prevent-false-positives into 13fa7f0 on guillaumeaubert:master.

@nferraz nferraz mentioned this pull request Nov 22, 2019
Open
@xsawyerx
Copy link

xsawyerx commented Oct 1, 2020

The travis-ci tests are failing for unrelated reasons:

$ perlbrew use 5.16

ERROR: The installation "5.16" is unknown.

and:

$ perlbrew use 5.10

ERROR: The installation "5.10" is unknown.

oalders added a commit to perl-ide/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection that referenced this pull request Mar 4, 2021
@oalders
v2.000000
b2f691a 
        - Added test for heredoc terminators
          guillaumeaubert#17
          (Victor Efimov)
        - Reset `_sqlsafe` when scanning multiple documents; added tests
          guillaumeaubert#22
          (Charlie Garrison)
        - New test cases related to anonymous functions
          guillaumeaubert#18
          (Victor Efimov)
        - Add safe_context configuration option
          guillaumeaubert#23
          (Nelson Ferraz)
        - Added a new "prefer_upper_case_keywords" configuration option (Olaf Alders)
        - Added detection for ALTER, CREATE and DROP statements.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nferraz @coveralls @xsawyerx @nelson-ferraz