New Rails SQL Injection Vulnerability Uncovered

Posted on by Joe Atzberger

A new SQL-injection vulnerability for the new year, this time in an otherwise common and innocuous-looking part of Ruby on Rails’ ActiveRecord:

Post.find_by_id(params[:id]) 

It is disappointing that the default ORM in Rails cannot yet safely query by identifier, a task made trivial by pre-compiled DBI queries using placeholders, or in this case, a single placeholder!

Check the original post for workaround.

About Joe Atzberger

Joe Atzberger (atz) is a library hacker in Palo Alto, CA. He worked with Galen at both LibLime and Equinox Software, Inc. as an open source developer on Koha and Evergreen. Joe currently works on Hydra and institutional digital repository infrastructure at Stanford.

4 Responses to New Rails SQL Injection Vulnerability Uncovered