Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security bug? find_by_attributes with hash #10633

Closed
h0jeZvgoxFepBQ2C opened this issue May 15, 2013 · 3 comments
Closed

security bug? find_by_attributes with hash #10633

h0jeZvgoxFepBQ2C opened this issue May 15, 2013 · 3 comments

Comments

@h0jeZvgoxFepBQ2C
Copy link

hey, today night someone tried to hack my webservice..

and i noticed that following happened:
somehow the attacker could post a hash to my controller and this raised an SQL exception - which maybe can lead to an sql injection? (where i thought it never could happen?!)...

In my controller i only use

user = User.find_by_email(params[:email])

see yourself:

Loading development environment (Rails 3.2.13)

pry(main)> User.find_by_email({"$acunetix"=>"1"})
  User Load (0.4ms)  SELECT `users`.* FROM `users` WHERE `email`.`$acunetix` = '1' LIMIT 1
ActiveRecord::StatementInvalid: Mysql2::Error: Unknown column 'email.$acunetix' in 'where clause': SELECT  `users`.* FROM `users`  WHERE `email`.`$acunetix` = '1' LIMIT 1
from /...//.rvm/gems/ruby-1.9.2-p290/bundler/gems/rails-5b020fa1101b/activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb:245:in `query'

Is this a security bug?
@h0jeZvgoxFepBQ2C h0jeZvgoxFepBQ2C mentioned this issue May 15, 2013
Closed
@h0jeZvgoxFepBQ2C
Copy link
Author

and i got this in my exception notifier:

An ActiveRecord::StatementInvalid occurred in password_resets#create:

 Mysql2::Error: Unknown column 'email.$acunetix' in 'where clause': SELECT  `users`.* FROM `users`  WHERE `email`.`$acunetix` = '1' LIMIT 1
 /.../www/production/shared/bundle/ruby/1.9.1/bundler/gems/rails-9d7a748a5174/activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb:245:in `query'


-------------------------------
Request:
-------------------------------

 * URL       : http://www......com/passwords
 * IP address: ...
 * Parameters: {"authenticity_token"=>"jcpoK6.....Kd0loU=", "commit"=>"Reset Password!", "email"=>{"$acunetix"=>"1"}, "utf8"=>"✓", "action"=>"create", "controller"=>"passwords"}
 * Rails root: /.../production/releases/201...722
 * Timestamp : 2013-05-14 21:27:05 UTC

@dmathieu
Copy link
Contributor

Querying by a hash allows you to add conditions on the SQL query for joined tables.
This would be a security issue if you had an email database, and were joining it in your sql query.

User.join(:email).find_by_email({"id" => 1})

There used to be a vulnerability about this in previous versions of rails in the case of empty hashes.
This has been fixed in 3.2.9. http://weblog.rubyonrails.org/2012/11/12/ann-rails-3-2-9-has-been-released/

You can prevent this exception, and any potential unseen issue with strong parameters (included in rails 4).

email = params.permit(:email => String)

Then the email will necessarily be a string. Any other value will send a 400 HTTP code to the user.

@h0jeZvgoxFepBQ2C
Copy link
Author

ah ok, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmathieu @h0jeZvgoxFepBQ2C