Hi Kaspar, If I'm reading the bug reports correctly, this basically means the ActiveRecord was handling the value `[nil]` (i.e. an array containing nil), like IS NULL.
In DataMapper, the correct thing seems to happen in terms of the results: >> User.all(:username => [nil]) => [] However, the SQL it executes doesn't look right: DataMapper.repository(:default).adapter.send(:select_statement, User.all(:username => [nil]).query) => ["SELECT <redacted> FROM `users` ORDER BY `id`", []] I'm not sure what the empty array is supposed to be, and I'm not sure why there's no WHERE clause in the SQL. DataMapper filters the records that are returned against the query, so perhaps this contributes to the fact no results are returned. I may have also entirely misunderstood the issue that was reported ;) Cheers, Chris Il giorno 06/giu/2012, alle ore 18:40, Kaspar Schiess ha scritto: > Hi everyone, > > Rails was recently released because of these two security problems: > > * CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk > * CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability > > (see the ruby-lang mailing list) > > Is Datamapper vulnerable to any of those? More specifically, does Datamapper > allow special strings to translate into 'is null'? > > The documentation at http://datamapper.org/docs/find.html would suggest that > it is at least vulnerable to the second attack where a hash is crafted to > query other tables than those immediately mentioned in the controller code. > > Anyone got the time to look into this? > > regards, > kaspar > > > -- > You received this message because you are subscribed to the Google Groups > "DataMapper" group. > To post to this group, send email to datamapper@googlegroups.com. > To unsubscribe from this group, send email to > datamapper+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/datamapper?hl=en. > -- You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to datamapper@googlegroups.com. To unsubscribe from this group, send email to datamapper+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/datamapper?hl=en.