rails-cve-2017-17917

The project demonstrates the replication of a SQL injection vulnerability in the id parameter, and subsequently provides insights into mitigating and resolving this security issue. https://www.cvedetails.com/cve/CVE-2017-17917/?q=CVE-2017-17917

Stack:

  Ruby: 3.2.2
  Rails: 7.0.8
  Docker 24.0.5
  Docker-Compose 1.29.2
  PostgreSQL

CVE-2017-17917

We selected this CVE to highlight the persisting occurrence of this issue in the latest versions of Rails, reaffirming its relevance of the development best practices.

Schema from the environment to replicate the vulnerability

Instructions to replicate this vulnerability.

Requirements:

  docker
  docker-compose

Steps to build a project:

  sudo docker-compose build

  sudo docker-compose run web bundle install

  sudo docker-compose run web rails db:create db:migrate db:seed

  sudo docker-compose up

Go to http://localhost:3000/

SQL Injection param 1 OR id > 1

Assessing the risks of the vulnerability in a production environment.

With this SQL injection, an attacker can retrieve user data they wouldn't normally have access to view.
degree difficulty to execution: easy

Conclusion

The issue lies in the controller method, specifically when invoking a where clause as follows:
@clients = Client.where("id = #{params[:id_search]}")
Link to Code

The problem is resolved by using the following approach:
@clients = Client.where(id: "#{params[:id_search]}")
Link to Code

Tests

  sudo docker-compose run web rspec