I am getting a security error in my ROR code that SQL injection may be possible in one post request when I run The OWASP Zed Attack Proxy (ZAP) tool on my code. I have a get_auth_token method which does not take any parameters , ZAP tool adds a query parameter in this request and on executing the modifier request the page loads fine which is an issue
Below is the modified url with added query param
https://example.com/api/sessions/get_auth_token?query=query+AND+1%3D1+--+
get_auth_token implementation looks like this
def get_auth_token
user = User.find_by(id: session[:user_id], disabled: false)
if session[:user_id]
if user
token = AuthToken.issue(user_id:user.username)
session[:user_id] = user.id
session[:username] = user.username
session[:project_id] = user.get_setting('xyz', nil)
User.update(user.id, :token=>token)
I do not want to convert this request to GET. I have gone through many examples for SQL injection prevention , they all focus on methods which accept some param. My method does not accept any param. How can I make sure that it does not accept any external param to prevent this SQL injection
Aucun commentaire:
Enregistrer un commentaire