Ruby on Rails SQL injection

  • There is a SQL injection vulnerability in Active Record, in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-2695. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:
        Post.where(:id => params[:id]).all
    An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
  • All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again.

    This issue can be mitigated by casting the parameter to an expected value. For example, change this:
        Post.where(:id => params[:id]).all
    to this:
        Post.where(:id => params[:id].to_s).all