The project demonstrates the replication of a SQL injection vulnerability in the id parameter, and subsequently provides insights into mitigating and resolving this security issue. https://www.cvedetails.com/cve/CVE-2017-17917/?q=CVE-2017-17917
Stack:
Ruby: 3.2.2
Rails: 7.0.8
Docker 24.0.5
Docker-Compose 1.29.2
PostgreSQL
We selected this CVE to highlight the persisting occurrence of this issue in the latest versions of Rails, reaffirming its relevance of the development best practices.
Requirements:
docker
docker-compose
Steps to build a project:
sudo docker-compose build
sudo docker-compose run web bundle install
sudo docker-compose run web rails db:create db:migrate db:seed
sudo docker-compose up
Go to http://localhost:3000/
SQL Injection param 1 OR id > 1
With this SQL injection, an attacker can retrieve user data they wouldn't normally have access to view.
degree difficulty to execution: easy
The issue lies in the controller method, specifically when invoking a where clause as follows:
@clients = Client.where("id = #{params[:id_search]}")
Link to Code
The problem is resolved by using the following approach:
@clients = Client.where(id: "#{params[:id_search]}")
Link to Code
sudo docker-compose run web rspec