Additional fix for CVE-2012-2661

While the patched PredicateBuilder in 3.1.5 prevents a user from specifying a table name using the `table.column` format, it doesn't protect against the nesting of hashes changing the table context in the next call to build_from_hash. This fix covers this case as well.
rails · Jun 11, 2012 · cc2903d · cc2903d · kennyj · Jun 13, 2012
1 parent 0ccdeeb
commit cc2903d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
@@ -1,16 +1,16 @@
 module ActiveRecord
   class PredicateBuilder # :nodoc:
-    def self.build_from_hash(engine, attributes, default_table, check_column = true)
+    def self.build_from_hash(engine, attributes, default_table, allow_table_name = true)
       predicates = attributes.map do |column, value|
         table = default_table
 
-        if value.is_a?(Hash)
+        if allow_table_name && value.is_a?(Hash)
           table = Arel::Table.new(column, engine)
           build_from_hash(engine, value, table, false)
         else
           column = column.to_s
 
-          if check_column && column.include?('.')
+          if allow_table_name && column.include?('.')
             table_name, column = column.split('.', 2)
             table = Arel::Table.new(table_name, engine)
           end

diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
@@ -11,6 +11,12 @@ def test_where_error
       end
     end
 
+    def test_where_error_with_hash
+      assert_raises(ActiveRecord::StatementInvalid) do
+        Post.where(:id => { :posts => {:author_id => 10} }).first
+      end
+    end
+
     def test_where_with_table_name
       post = Post.first
       assert_equal post, Post.where(:posts => { 'id' => post.id }).first