Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive with operators like eq, && #20

Open
cashlo opened this issue May 7, 2018 · 2 comments
Open

False positive with operators like eq, && #20

cashlo opened this issue May 7, 2018 · 2 comments

Comments

@cashlo
Copy link

cashlo commented May 7, 2018

Here's some examples:

my $foo;
my $bar;

"update" eq $foo;
$foo eq "update" && $bar;
$foo ne "select" || $bar;

and the outpout:

SQL injection risk at line 4, column 1. Variables in interpolated SQL string are susceptible to SQL injection: $foo. (Severity: 5)
SQL injection risk at line 5, column 9. Variables in interpolated SQL string are susceptible to SQL injection: $bar. (Severity: 5)
SQL injection risk at line 6, column 9. Variables in interpolated SQL string are susceptible to SQL injection: $bar. (Severity: 5)

It seems to me some conditions need to be added around here ( https://github.com/guillaumeaubert/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection/blob/master/lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm#L398 ) for these operators?
@vti
Copy link

vti commented Sep 16, 2018
edited
Loading

Got bitten by this too:

my $branch = $type eq 'delete' ? $change->{old}->{name} : $change->{new}->{name};

@tadzik
Copy link

tadzik commented Sep 25, 2018

Stumbled upon this too, my testcase:

my $json;
exit if $json->{foo} eq 'delete' and exists $json->{bar};

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vti @tadzik @cashlo