Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ca074e2

Browse files
thiggy1342thiggy1342
authored
add qhelp file
1 parent cf36333 commit ca074e2

2 files changed

Lines changed: 32 additions & 2 deletions

File tree

ruby/ql/src/experimental/weak-params/WeakParams.qhelp

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>
7+
Directly checking request parameters without following a strong params
8+
pattern can lead to unintentional avenues for injection attacks.
9+
</p>
10+
</overview>
11+
<recommendation>
12+
<p>
13+
Instead of manually checking parameters from the `param` object, it is
14+
recommended that you follow the strong parameters pattern established in
15+
Rails: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html
16+
</p>
17+
<p>
18+
In the strong parameters pattern, you are able to specify required and allowed
19+
parameters for each action called by your controller methods. This acts as an
20+
additional layer of data validation before being passed along to other areas
21+
of your application, such as the model.
22+
</p>
23+
</recommendation>
24+
25+
<references>
26+
27+
</references>
28+
</qhelp>

ruby/ql/src/experimental/weak-params/WeakParams.ql

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,10 @@
44
* @kind path-problem
55
* @problem.severity error
66
* @security-severity 5.0
7-
* @precision low
7+
* @precision medium
88
* @id rb/weak-params
99
* @tags security
10+
* external/cwe/cwe-223
1011
*/
1112

1213
import ruby
@@ -64,12 +65,13 @@ class ParamsReference extends ElementReference {
6465
}
6566

6667
/**
67-
* returns either Model or ViewModel classes with a base class of `ViewModel` or includes `ActionModel::Model`,
68+
* returns either Model or ViewModel classes with a base class of `ViewModel`, `ApplicationRecord` or includes `ActionModel::Model`,
6869
* which are required to support the strong parameters pattern
6970
*/
7071
class ModelClass extends ModuleBase {
7172
ModelClass() {
7273
this.getModule().getSuperClass+().toString() = "ViewModel" or
74+
this.getModule().getSuperClass+().toString() = "ApplicationRecord" or
7375
this.getModule().getSuperClass+().getAnIncludedModule().toString() = "ActionModel::Model"
7476
}
7577
}

0 commit comments

Comments
 (0)