tainted-deserialization
event
object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of load
can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning ‘primitive’ types such as strings, arrays, hashes, numbers and nil.tainted-sql-string
sequel-sqli
event
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: DB['select * from items where name = ?', name]
mysql2-sqli
event
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: escaped = client.escape(user_input)
activerecord-sqli
event
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: Example.find_by_sql ["SELECT title FROM posts WHERE author = ? AND created > ?", author_id, start_date]
pg-sqli
event
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])