Ruby on Rails SQL injection

Description
  • There is a SQL injection vulnerability in Active Record, in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-2695. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this: <pre> Post.where(:id => params[:id]).all </pre> An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
Remediation
  • All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again. <br/><br/> This issue can be mitigated by casting the parameter to an expected value. For example, change this: <pre> Post.where(:id => params[:id]).all </pre> to this: <pre> Post.where(:id => params[:id].to_s).all </pre>
References