Test quoting integers when comparing a string column with integers. #162

Merged
merged 1 commit into from Apr 29, 2014

Conversation

Projects
None yet
4 participants

Update: the original problem was fixed by commit 93d7213, so now this just adds a regression test.

Problem

An equality with a string column and integer like

SELECT * FROM `users` WHERE `login_token` = 0 LIMIT 1;

will match any string that doesn't start with a digit in certain databases (including MySQL). However, Arel will simply treat Fixnum and Bignum as literals, and not give the connection an opportunity to quote these values.

See Potential Query Manipulation with Common Rails Practises for details on the potential security vulnerability.

Solution

Arel should allow the connection to quote integers, but needs to provide the correct column type to avoid quoting integers like the argument to LIMIT.

Quoting the integer will avoid this potential security issue in a database independent way. So the above query can be quoted as follows and only match a login_token with the exact string '0'.

SELECT * FROM `users` WHERE `login_token` = '0' LIMIT 1;
Collaborator

ernie commented Feb 13, 2013

Interesting. Definitely along the lines of the short-term solution we were discussing the other day, @tenderlove. Assuming the AR tests pass with this, it's not a bad workaround. Tentatively 👍 on this.

Owner

rafaelfranca commented Feb 24, 2013

I just tested this pull request reverting the changes on rails/rails#9207 and using this test case with mysql2 adapter I still get this SQL:

SELECT COUNT(*) FROM `posts` WHERE `posts`.`title` = 0

@rafaelfranca I never recommended to completely revert that pull request, only the changes to the predicate builder. Arel delegates to the connection adapters quote method for quoting, which must still must quote integers as strings for string column types.

This pull request is necessary because quoting wasn't even being delegated to the quote method for Fixnum and Bignum, and the column passed in would be irrelevant because it was never cleared.

Owner

rafaelfranca commented Feb 25, 2013

Ok. I misunderstood, sorry. So we still need to fix the regressions on Rails either if this pull request right?

The regressions in rails were from the changes to the predicate builder.

Please don't underestimate the importance of this pull request. It addresses a bugs in Arel that is preventing a serious security issue from being fixed.

Attempts to work around this issue have led to regressions in rails. E.g. rails/rails#9207 has been reverted. This is the correct place to fix the issue, without any need for hacks.

@ernie ernie referenced this pull request Mar 13, 2013

Closed

Quote integers in postgresql #172

Member

lukaszx0 commented Mar 13, 2013

@rafaelfranca @tenderlove any progress on this?

Collaborator

ernie commented Mar 13, 2013

Happy to merge this myself but since I'd talked with @tenderlove about it previously just wanted his input before doing so. Seems like a really good option to me, even with the shuffling of last_column. Might be able to do away with last_column altogether by continuing down this path.

Collaborator

ernie commented Mar 15, 2013

So, I chatted with @tenderlove briefly and he raised a good point (one I missed, oops) which is that this exacerbates the problem we already have of mutating the visitor, which makes this code not thread-safe. It's a bigger problem to address than what we have here, but I have an idea about how we might attack it, based on some of the stuff I've done in Squeel which has worked OK. I'm going to at least try to play with it a bit this weekend and see if I get anywhere.

@ernie awesome work with commit 68a9554. Now the correct column type is being provided for quoting, so all that was left was to actually quote integers rather than treat them as literals. This is a much simpler pull request after rebasing.

Collaborator

ernie commented Sep 11, 2013

Thanks for the ❤️!

@ernie ping for review

Collaborator

ernie commented Dec 3, 2013

@dylanahsmith This seems OK to me. Have you run the full AR test suite with this version of Arel?

I tested it against AR master, and it didn't introduce any new test failures, but there were existing failures.

Rebased and ran the full AR test suite again with this version of Arel, still doesn't break any tests.

@ernie can we get this merged now? Or is anything else needed?

@dylanahsmith dylanahsmith changed the title from Quote integers when comparing a string column with integers. to Test quote integers when comparing a string column with integers. Apr 28, 2014

@tenderlove it looks like you fixed the issue this was addressing in commit 93d7213 ❤️

I reduced this pull request to just the regression test, so it should be very safe to merge now!

@dylanahsmith dylanahsmith changed the title from Test quote integers when comparing a string column with integers. to Test quoting integers when comparing a string column with integers. Apr 28, 2014

Test quoting integers when comparing a string column with integers.
An equality with a string column and integer like

  SELECT * FROM `users` WHERE `login_token` = 0 LIMIT 1;

will match match any string that doesn't start with a digit in certain
databases, like mysql. Make sure we quote the integer to avoid this
problem in a database independant way.

rafaelfranca added a commit that referenced this pull request Apr 29, 2014

Merge pull request #162 from dylanahsmith/quote-integers
Test quoting integers when comparing a string column with integers.

@rafaelfranca rafaelfranca merged commit bb05bf0 into rails:master Apr 29, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@dylanahsmith dylanahsmith deleted the dylanahsmith:quote-integers branch Apr 29, 2014

@dylanahsmith dylanahsmith restored the dylanahsmith:quote-integers branch Apr 29, 2014

@dylanahsmith dylanahsmith deleted the dylanahsmith:quote-integers branch Apr 29, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment