-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security bug? find_by_attributes with hash #10633
Comments
and i got this in my exception notifier:
|
Querying by a hash allows you to add conditions on the SQL query for joined tables.
There used to be a vulnerability about this in previous versions of rails in the case of empty hashes. You can prevent this exception, and any potential unseen issue with strong parameters (included in rails 4).
Then the email will necessarily be a string. Any other value will send a 400 HTTP code to the user. |
ah ok, thank you! |
hey, today night someone tried to hack my webservice..
and i noticed that following happened:
somehow the attacker could post a hash to my controller and this raised an SQL exception - which maybe can lead to an sql injection? (where i thought it never could happen?!)...
In my controller i only use
see yourself:
Is this a security bug?
The text was updated successfully, but these errors were encountered: