New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
searching with _in predicate if the argument is empty returns All records #524
Comments
Hi @tyronewilson, you could populate the P.S. - I'd recommend using the |
Perhaps I am a bit slow. How does one specify the default value? I saw a trick in another issue where someone adds [-1] to all arrays for querying but I couldn't come up with a reliable way to do that without having a maintenance nightmare. Perhaps you can provide me with an example of your meaning above @jonatack? |
This seems to be expected behavior (if I'm understanding correctly). |
Well if you think so. My reading is that that vulnerability is centred around converting [] to nil automatically. However in both our cases ransack was simply returning ALL records when clearly it doesn't make sense to. If I have
This would be fine assuming the user has at least one friend. However, if someone is new to your system, their call to friends_postings would immediately return Posting.all. That seems like a very serious security issue to me if there is a way I should be writing these queries instead I would like to know it. I think the fix should be simple. if an For now I have created a guard around functions where I do this
to be used like so:
Looks and feels cumbersome but it works. |
_I think the fix should be simple. if an in ransack key is passed an [] or nil or {}, it should return Posting.none since no arguments were passed in essentially. If you'd like to make a PR that passes the current tests and does this, and that doesn't trigger filtering when there is no user input, and works well with the |
Cool I'll give it some thought. Thanks. On 24 March 2015 at 20:01, Jon Atack notifications@github.com wrote:
|
👍 |
Any update on this? appears the behavior hasn't changed. |
I would love if someone could shed some light on why this is expected behavior. At a glance, it seems illogical. Why doesn everything match nothing? How does ransack perform its _in matching? |
I don't know if this issue has been brought up before but for me this is unexpected behaviour.
If I use a query something like
MyModel.search(parent_id_or_id_in: some_association.pluck(:my_model_id)).result
This works fine if I have some_association records. If I don't have any it will return ALL of the MyModel records instead of none.This is unexpected behaviour in my view and is a serious authorization issue for us as we are basing some user actions and permissions based on the results of these kinds of searches.
If I search for
id_in: []
I get ALL records back, I would expect fan empty ActiveRecord::Relation under such circumstances. The same thing happens if I usenil
The following examples outline the problem:
SomeModel.search(id_in: []).result #all records returned
SomeModel.search(id_in: nil).result #all records returned
SomeModel.search(id_in: SomeModel.none).result #all records returned
SomeModel.search(id_in: {}).result #returns all records
Some cases which are handled properly
SomeModel.search(id_in: 'bla').result #returns empty relation
SomeModel.search(id_in: 3).result #returns empty relation
As mentioned before, this has become a bit of a security issue for us and I hope you will see it the same way. I tried to see how one might fix it but not being familiar with such a big project as Ransack I wasn't sure.
Please let me know if we can get this fixed.
The text was updated successfully, but these errors were encountered: