OeditusCredo.Check.Security.SQLInjection
(OeditusCredo v0.5.0)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of higher and works with any version of Elixir.
Explanation
Detects potential SQL injection vulnerabilities (CWE-89).
Building SQL queries through string concatenation or interpolation with user-controlled input enables SQL injection attacks.
Bad:
Repo.query("SELECT * FROM users WHERE id = " <> id)
Ecto.Adapters.SQL.query(Repo, "SELECT * FROM users WHERE name = '#{name}'")
fragment("SELECT * FROM users WHERE id = " <> ^id)Good:
Repo.query("SELECT * FROM users WHERE id = $1", [id])
from(u in User, where: u.id == ^id)Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.