SQL injection vulnerability

It looks like the following is vulnerable to SQL injection. It ought to be solved by whitelisting against the model's parameters, and also escaping the inputs.

https://github.com/OddballGreg/generalized_api/blob/093ea7bb276b706f0258b0a581c0eaa339f418c3/lib/generalized_api/api.rb#L71

https://github.com/OddballGreg/generalized_api/blob/093ea7bb276b706f0258b0a581c0eaa339f418c3/lib/generalized_api/api.rb#L149-L151

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability #2

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

	def fuzzy_search_field
	"#{params["search_field"]} #{GeneralizedApi::DATABASE_LIKE} ?"
	end

SQL injection vulnerability #2

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions