Add a config option to class a variable as safe.

.github/workflows/dzil-build-and-test.yml

@@ -10,6 +10,7 @@ on:
       - "*"
   schedule:
     - cron: "15 4 * * 0" # Every Sunday morning
+  workflow_dispatch:
 
 jobs:
   build-job:
@@ -18,15 +19,15 @@ jobs:
     container:
       image: perldocker/perl-tester:5.32
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Run Tests
         env:
           AUTHOR_TESTING: 1
           AUTOMATED_TESTING: 1
           EXTENDED_TESTING: 1
           RELEASE_TESTING: 1
         run: auto-build-and-test-dist
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: build_dir
           path: build_dir
@@ -37,8 +38,8 @@ jobs:
     container:
       image: perldocker/perl-tester:5.32
     steps:
-      - uses: actions/checkout@v2 # codecov wants to be inside a Git repository
-      - uses: actions/download-artifact@v2
+      - uses: actions/checkout@v4 # codecov wants to be inside a Git repository
+      - uses: actions/download-artifact@v4
         with:
           name: build_dir
           path: .
@@ -54,7 +55,7 @@ jobs:
       matrix:
         os: [ubuntu-20.04]
         perl-version:
-          - "5.8"
+          # - "5.8"  Won't build 
           - "5.10"
           - "5.12"
           - "5.14"
@@ -67,13 +68,17 @@ jobs:
           - "5.28"
           - "5.30"
           - "5.32"
+          - "5.34"
+          - "5.36"
+          - "5.38"
+          - "5.40"
     name: perl ${{ matrix.perl-version }} on ${{ matrix.os }}
     steps:
       - name: set up perl
         uses: shogo82148/actions-setup-perl@v1
         with:
           perl-version: ${{ matrix.perl-version }}
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
         with:
           name: build_dir
           path: .
@@ -94,7 +99,7 @@ jobs:
       matrix:
         os: [macos-latest]
         perl-version:
-          - "5.8"
+          # - "5.8"
           - "5.10"
           - "5.12"
           - "5.14"
@@ -107,13 +112,17 @@ jobs:
           - "5.28"
           - "5.30"
           - "5.32"
+          - "5.34"
+          - "5.36"
+          - "5.38"
+          - "5.40"          
     name: perl ${{ matrix.perl-version }} on ${{ matrix.os }}
     steps:
       - name: set up perl
         uses: shogo82148/actions-setup-perl@v1
         with:
           perl-version: ${{ matrix.perl-version }}
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
         with:
           name: build_dir
           path: .
@@ -135,22 +144,27 @@ jobs:
         os: [windows-latest]
         perl-version:
           - "5.14"
-          - "5.16"
+          # - "5.16" Doesn't work
           - "5.18"
           - "5.20"
           - "5.22"
           - "5.24"
           - "5.26"
           - "5.28"
           - "5.30"
+          - "5.32"
+          # - "5.34"
+          - "5.36"
+          - "5.38"
+          # - "5.40"          
     name: perl ${{ matrix.perl-version }} on ${{ matrix.os }}
     steps:
       - name: set up perl
         uses: shogo82148/actions-setup-perl@v1
         with:
           perl-version: ${{ matrix.perl-version }}
           distribution: strawberry # this option only used on windows
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
         with:
           name: build_dir
           path: .

Changes

@@ -1,5 +1,7 @@
 Revision history for Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection
 {{$NEXT}}
+
+2.000001  2021-03-05 15:39:11Z
         - Bump minimum PPI version to 1.222  (GH#1) (Olaf Alders)
 
 2.000000  2021-03-04 22:59:36Z

META.json

@@ -57,6 +57,7 @@
       "runtime" : {
          "requires" : {
             "Carp" : "0",
+            "PPI" : "1.222",
             "PPIx::QuoteLike" : "0.015",
             "Perl::Critic::Policy" : "0",
             "Perl::Critic::Utils" : "0",
@@ -76,7 +77,7 @@
          "requires" : {
             "ExtUtils::MakeMaker" : "0",
             "File::Spec" : "0",
-            "PPI" : "0",
+            "PPI" : "1.222",
             "Test::FailWarnings" : "0",
             "Test::More" : "0",
             "Test::Perl::Critic" : "0",
@@ -97,7 +98,7 @@
          "web" : "https://github.com/oalders/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection"
       }
    },
-   "version" : "2.000000",
+   "version" : "2.000001",
    "x_Dist_Zilla" : {
       "perl" : {
          "version" : "5.030002"
@@ -655,7 +656,7 @@
                   "branch" : null,
                   "changelog" : "Changes",
                   "signed" : 0,
-                  "tag" : "v2.000000",
+                  "tag" : "v2.000001",
                   "tag_format" : "v%V",
                   "tag_message" : "v%V"
                },
@@ -749,6 +750,17 @@
             "name" : "StaticInstall",
             "version" : "0.012"
          },
+         {
+            "class" : "Dist::Zilla::Plugin::Prereqs",
+            "config" : {
+               "Dist::Zilla::Plugin::Prereqs" : {
+                  "phase" : "runtime",
+                  "type" : "requires"
+               }
+            },
+            "name" : "RuntimeRequires",
+            "version" : "6.017"
+         },
          {
             "class" : "Dist::Zilla::Plugin::FinderCode",
             "name" : ":InstallModules",
@@ -812,6 +824,7 @@
       "Charlie Garrison <[email protected]>",
       "Guillaume Aubert <[email protected]>",
       "Nelson Ferraz <[email protected]>",
+      "Olaf Alders <[email protected]>",
       "Olaf Alders <[email protected]>",
       "Victor <[email protected]>"
    ],

Makefile.PL

@@ -18,6 +18,7 @@ my %WriteMakefileArgs = (
   "NAME" => "Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection",
   "PREREQ_PM" => {
     "Carp" => 0,
+    "PPI" => "1.222",
     "PPIx::QuoteLike" => "0.015",
     "Perl::Critic::Policy" => 0,
     "Perl::Critic::Utils" => 0,
@@ -31,13 +32,13 @@ my %WriteMakefileArgs = (
   "TEST_REQUIRES" => {
     "ExtUtils::MakeMaker" => 0,
     "File::Spec" => 0,
-    "PPI" => 0,
+    "PPI" => "1.222",
     "Test::FailWarnings" => 0,
     "Test::More" => 0,
     "Test::Perl::Critic" => 0,
     "Test::Perl::Critic::Policy" => 0
   },
-  "VERSION" => "2.000001",
+  "VERSION" => "2.000002",
   "test" => {
     "TESTS" => "t/*.t"
   }
@@ -48,7 +49,7 @@ my %FallbackPrereqs = (
   "Carp" => 0,
   "ExtUtils::MakeMaker" => 0,
   "File::Spec" => 0,
-  "PPI" => 0,
+  "PPI" => "1.222",
   "PPIx::QuoteLike" => "0.015",
   "Perl::Critic::Policy" => 0,
   "Perl::Critic::Utils" => 0,

README.md

@@ -4,7 +4,7 @@ Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection - Prevent SQL in
 
 # VERSION
 
-version 2.000000
+version 2.000002
 
 # DESCRIPTION
 
@@ -62,6 +62,12 @@ For example, to declare `quote_function()` and
 
 By default, no functions are considered safe.
 
+
+## safe_variables
+
+A space separated string of variables we know are safe.
+
+
 ## prefer\_upper\_case\_keywords
 
 A boolean indicating whether you'd prefer to detect only SELECT, INSERT, UPDATE

cpanfile

@@ -2,6 +2,7 @@
 # Do not edit this file directly. To change prereqs, edit the `dist.ini` file.
 
 requires "Carp" => "0";
+requires "PPI" => "1.222";
 requires "PPIx::QuoteLike" => "0.015";
 requires "Perl::Critic::Policy" => "0";
 requires "Perl::Critic::Utils" => "0";
@@ -16,7 +17,7 @@ requires "warnings" => "0";
 on 'test' => sub {
   requires "ExtUtils::MakeMaker" => "0";
   requires "File::Spec" => "0";
-  requires "PPI" => "0";
+  requires "PPI" => "1.222";
   requires "Test::FailWarnings" => "0";
   requires "Test::More" => "0";
   requires "Test::Perl::Critic" => "0";

lib/Perl/Critic/Policy/ValuesAndExpressions/PreventSQLInjection.pm

@@ -4,7 +4,7 @@ use 5.006001;
 use strict;
 use warnings;
 
-our $VERSION = '2.000001';
+our $VERSION = '2.000002';
 
 use base 'Perl::Critic::Policy';
 
@@ -215,6 +215,11 @@ Readonly::Scalar my $QUOTING_METHODS_DEFAULT => q|
 Readonly::Scalar my $SAFE_FUNCTIONS_DEFAULT => q|
 |;
 
+# Default for the name of the variables that are safe to
+# concatenate to SQL strings.
+Readonly::Scalar my $SAFE_VARIABLES_DEFAULT => q|
+|;
+
 # Default for the name of the functions that are generally safe to use (because they
 # are not expected to generate SQL calls -- unless you are doing something really,
 # really weird.)
@@ -281,6 +286,13 @@ sub supported_parameters {
             default_string => '0',
             behavior       => 'boolean',
         },
+        {
+            name        => 'safe_variables',
+            description =>
+                'A space-separated string listing the variables that are a safely quoted value',
+            default_string => $SAFE_VARIABLES_DEFAULT,
+            behavior       => 'string',
+        },
     );
 }
 
@@ -791,10 +803,13 @@ sub get_safe_elements {
 
     # If there's nothing in the cache for that line, return immediately.
     return {}
-        if !exists( $self->{'_sqlsafe'}->{$line_number} );
+        if !exists( $self->{'_sqlsafe'}->{$line_number} ) &&  !exists( $self->{_safe_variables});
 
     # Return a hash of safe element names.
-    return { map { $_ => 1 } @{ $self->{'_sqlsafe'}->{$line_number} } };
+    my %hash =  map { $_ => 1 } @{ $self->{'_sqlsafe'}->{$line_number} };
+        # Return a hash of safe element names.
+    map {$hash{$_} = 1 } split( /[,\s]+/, $self->{'_safe_variables'} );
+    return \%hash;
 }
 
 =head2 parse_comments()
@@ -889,7 +904,11 @@ sub parse_config_parameters {
             $self->{'_safe_context_regex'} = undef;
         }
     }
-
+    # Strip surrounding quotes.
+    if ( exists( $self->{'_safe_variables'} ) ) {
+        $self->{'_safe_variables'} =~ s/^['" ]+//;
+        $self->{'_safe_variables'} =~ s/['" ]+$//;
+    }
     return;
 }