# Vulnerable: user input is concatenated directly into SQL.
email = params[:email]
password = params[:password]
sql = "SELECT * FROM users WHERE email = '#{email}' AND password_hash = '#{password}'"
user = ActiveRecord::Base.connection.execute(sql).first
RegistrationSchema = Dry::Schema.Params do
required(:email).filled(:string, format?: URI::MailTo::EMAIL_REGEXP)
required(:password).filled(:string, min_size?: 12)
optional(:marketing_opt_in).filled(:bool)
optional(:country).filled(:string, included_in?: %w[US CA GB AU])
end
raw_token = SecureRandom.urlsafe_base64(32)
token_digest = Digest::SHA256.hexdigest(raw_token)
PasswordReset.create!(
user: user,
token_digest: token_digest,
import psycopg
with psycopg.connect(conninfo) as connection:
with connection.cursor() as cursor:
cursor.execute(
'SELECT id, email FROM users WHERE email = %s',
from defusedxml.ElementTree import fromstring
payload = request.data.decode('utf-8')
root = fromstring(payload)
invoice_number = root.findtext('invoice_number')
base_path = Rails.root.join('storage', 'exports').realpath
requested = base_path.join(params[:filename].to_s).cleanpath
unless requested.to_s.start_with?(base_path.to_s) && requested.file?
raise ActionController::RoutingError, 'Not Found'
end
allowed_types = ['image/png', 'image/jpeg', 'application/pdf']
uploaded = params.require(:document)
raise ActionController::BadRequest, 'file too large' if uploaded.size > 10.megabytes
raise ActionController::BadRequest, 'type not allowed' unless allowed_types.include?(uploaded.content_type)
require 'ipaddr'
require 'resolv'
uri = URI.parse(params[:url])
allowed_hosts = %w[images.example-cdn.com api.partner.com]