Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Recent Rails SQL Issues" - 2012
Search
Justin Collins
April 23, 2015
Programming
0
63
"Recent Rails SQL Issues" - 2012
Justin Collins
April 23, 2015
Tweet
Share
More Decks by Justin Collins
See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
130
The Evolution of Rails Security
presidentbeef
1
750
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
120
Practical Static Analysis for Continuous Application Security
presidentbeef
0
170
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
380
Continuous Security with Practical Static Analysis
presidentbeef
1
280
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
200
The World of Rails Security - RailsConf 2015
presidentbeef
8
1.1k
Tales from the Crypt
presidentbeef
1
200
Other Decks in Programming
See All in Programming
Azure AI Foundryのご紹介
qt_luigi
1
210
PHPUnitしか使ってこなかった 一般PHPerがPestに乗り換えた実録
mashirou1234
0
420
functionalなアプローチで動的要素を排除する
ryopeko
1
200
Androidアプリの One Experience リリース
nein37
0
1.2k
週次リリースを実現するための グローバルアプリ開発
tera_ny
1
1.2k
HTML/CSS超絶浅い説明
yuki0329
0
190
DMMオンラインサロンアプリのSwift化
hayatan
0
190
いりゃあせ、PHPカンファレンス名古屋2025 / Welcome to PHP Conference Nagoya 2025
ttskch
1
180
Асинхронность неизбежна: как мы проектировали сервис уведомлений
lamodatech
0
1.3k
どうして手を動かすよりもチーム内のコードレビューを優先するべきなのか
okashoi
3
870
QA環境で誰でも自由自在に現在時刻を操って検証できるようにした話
kalibora
1
140
テストコードのガイドライン 〜作成から運用まで〜
riku929hr
7
1.4k
Featured
See All Featured
Building an army of robots
kneath
302
45k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
We Have a Design System, Now What?
morganepeng
51
7.3k
Building Applications with DynamoDB
mza
93
6.2k
How to train your dragon (web standard)
notwaldorf
89
5.8k
Faster Mobile Websites
deanohume
305
30k
What's in a price? How to price your products and services
michaelherold
244
12k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Adopting Sorbet at Scale
ufuk
74
9.2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Transcript
Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661
CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x
and 3.x
ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end
Query Parameters ?name[] {"name"=>[nil]}
ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end
Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL
CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query
keys Affects Rails 3.x
ActiveRecord Query User.where(:name => params[:name])
ActiveRecord Query User.where("users.name" => params[:name])
Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}
ActiveRecord Query User.where(:name => {"users.id" => "1"})
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1
Unreleased Vulnerability Allows some manipulation of WHERE clause via nested
hashes in query values Affects 2.3.x and 3.x
ActiveRecord Query User.where(:name => params[:name], :password => params[:password])
Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}
ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1 AND "users"."id" = 1
presidentbeef
qt_luigi
mashirou1234
ryopeko
nein37
tera_ny
yuki0329
hayatan
ttskch
lamodatech
okashoi
kalibora
riku929hr
kneath
hatefulcrawdad
morganepeng
mza
notwaldorf
deanohume
michaelherold
chriscoyier
ufuk
bermonpainter
eileencodes
jlugia
![ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_2.jpg){kind=link}
![Query Parameters ?name[] {"name"=>[nil]}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_3.jpg){kind=link}
![ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_4.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_7.jpg){kind=link}
![ActiveRecord Query User.where("users.name" => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_8.jpg){kind=link}
![Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_9.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name], :password => params[:password])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_13.jpg){kind=link}
![Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_14.jpg){kind=link}
