Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

stop calling to_sym when building arel nodes [CVE-2013-1854]

  • Loading branch information...
commit 5dc2e3531babcbdc165884d1a47cbcd13455522d 1 parent 6ea48eb
@tenderlove tenderlove authored
View
2  activerecord/lib/active_record/relation/predicate_builder.rb
@@ -48,7 +48,7 @@ def self.expand(klass, table, column, value)
column = reflection.foreign_key
end
- queries << build(table[column.to_sym], value)
+ queries << build(table[column], value)
queries
end
View
25 activerecord/test/cases/relation/where_chain_test.rb
@@ -6,26 +6,31 @@ module ActiveRecord
class WhereChainTest < ActiveRecord::TestCase
fixtures :posts
+ def setup
+ super
+ @name = 'title'
+ end
+
def test_not_eq
- expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'hello')
+ expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'hello')
relation = Post.where.not(title: 'hello')
assert_equal([expected], relation.where_values)
end
def test_not_null
- expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], nil)
+ expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], nil)
relation = Post.where.not(title: nil)
assert_equal([expected], relation.where_values)
end
def test_not_in
- expected = Arel::Nodes::NotIn.new(Post.arel_table[:title], %w[hello goodbye])
+ expected = Arel::Nodes::NotIn.new(Post.arel_table[@name], %w[hello goodbye])
relation = Post.where.not(title: %w[hello goodbye])
assert_equal([expected], relation.where_values)
end
def test_association_not_eq
- expected = Arel::Nodes::NotEqual.new(Comment.arel_table[:title], 'hello')
+ expected = Arel::Nodes::NotEqual.new(Comment.arel_table[@name], 'hello')
relation = Post.joins(:comments).where.not(comments: {title: 'hello'})
assert_equal(expected.to_sql, relation.where_values.first.to_sql)
end
@@ -33,20 +38,20 @@ def test_association_not_eq
def test_not_eq_with_preceding_where
relation = Post.where(title: 'hello').where.not(title: 'world')
- expected = Arel::Nodes::Equality.new(Post.arel_table[:title], 'hello')
+ expected = Arel::Nodes::Equality.new(Post.arel_table[@name], 'hello')
assert_equal(expected, relation.where_values.first)
- expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'world')
+ expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'world')
assert_equal(expected, relation.where_values.last)
end
def test_not_eq_with_succeeding_where
relation = Post.where.not(title: 'hello').where(title: 'world')
- expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'hello')
+ expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'hello')
assert_equal(expected, relation.where_values.first)
- expected = Arel::Nodes::Equality.new(Post.arel_table[:title], 'world')
+ expected = Arel::Nodes::Equality.new(Post.arel_table[@name], 'world')
assert_equal(expected, relation.where_values.last)
end
@@ -65,10 +70,10 @@ def test_not_eq_with_array_parameter
def test_chaining_multiple
relation = Post.where.not(author_id: [1, 2]).where.not(title: 'ruby on rails')
- expected = Arel::Nodes::NotIn.new(Post.arel_table[:author_id], [1, 2])
+ expected = Arel::Nodes::NotIn.new(Post.arel_table['author_id'], [1, 2])
assert_equal(expected, relation.where_values[0])
- expected = Arel::Nodes::NotEqual.new(Post.arel_table[:title], 'ruby on rails')
+ expected = Arel::Nodes::NotEqual.new(Post.arel_table[@name], 'ruby on rails')
assert_equal(expected, relation.where_values[1])
end
end

2 comments on commit 5dc2e35

@yahonda

It looks this causes these 3 failures.

$ ARCONN=sqlite3 ruby -Itest test/cases/relation_scoping_test.rb
Using sqlite3
Run options: --seed 64049

# Running tests:

......................F.FF..............................................................

Finished tests in 1.183475s, 74.3573 tests/s, 125.0554 assertions/s.

  1) Failure:
DefaultScopingTest#test_default_scope_with_inheritance [test/cases/relation_scoping_test.rb:393]:
Expected: "Jamis"
  Actual: nil

  2) Failure:
DefaultScopingTest#test_default_scope_with_module_includes [test/cases/relation_scoping_test.rb:399]:
Expected: "Jamis"
  Actual: nil

  3) Failure:
DefaultScopingTest#test_default_scope_with_multiple_calls [test/cases/relation_scoping_test.rb:405]:
Expected: "Jamis"
  Actual: nil

88 tests, 148 assertions, 3 failures, 0 errors, 0 skips
$
@yahonda

Fixed. Thanks.

Please sign in to comment.
Something went wrong with that request. Please try again.