Re: [DataMapper] Anyone time to check this?
https://github.com/datamapper/dm-do-adapter/pull/15 Il giorno 06/giu/2012, alle ore 18:40, Kaspar Schiess ha scritto: > Hi everyone, > > Rails was recently released because of these two security problems: > > * CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk > * CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability > > (see the ruby-lang mailing list) > > Is Datamapper vulnerable to any of those? More specifically, does Datamapper > allow special strings to translate into 'is null'? > > The documentation at http://datamapper.org/docs/find.html would suggest that > it is at least vulnerable to the second attack where a hash is crafted to > query other tables than those immediately mentioned in the controller code. > > Anyone got the time to look into this? > > regards, > kaspar > > > -- > You received this message because you are subscribed to the Google Groups > "DataMapper" group. > To post to this group, send email to datamapper@googlegroups.com. > To unsubscribe from this group, send email to > datamapper+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/datamapper?hl=en. > -- You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to datamapper@googlegroups.com. To unsubscribe from this group, send email to datamapper+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/datamapper?hl=en.
Re: [DataMapper] Anyone time to check this?
Ah, I was executing that query against a NOT NULL field. DM was being smart and wasn't even going to the DB. Listing.first(:title => [nil]) ~ SQL (36.869ms) SELECT FROM `listings` ORDER BY `id` LIMIT 1 No WHERE clause. Ugh. It returned the listing in our DB with the ID of 1. Seems like DM is vulnerable to the same issue, yes. Il giorno 06/giu/2012, alle ore 18:40, Kaspar Schiess ha scritto: > Hi everyone, > > Rails was recently released because of these two security problems: > > * CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk > * CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability > > (see the ruby-lang mailing list) > > Is Datamapper vulnerable to any of those? More specifically, does Datamapper > allow special strings to translate into 'is null'? > > The documentation at http://datamapper.org/docs/find.html would suggest that > it is at least vulnerable to the second attack where a hash is crafted to > query other tables than those immediately mentioned in the controller code. > > Anyone got the time to look into this? > > regards, > kaspar > > > -- > You received this message because you are subscribed to the Google Groups > "DataMapper" group. > To post to this group, send email to datamapper@googlegroups.com. > To unsubscribe from this group, send email to > datamapper+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/datamapper?hl=en. > -- You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to datamapper@googlegroups.com. To unsubscribe from this group, send email to datamapper+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/datamapper?hl=en.
Re: [DataMapper] Anyone time to check this?
Hi Kaspar, If I'm reading the bug reports correctly, this basically means the ActiveRecord was handling the value `[nil]` (i.e. an array containing nil), like IS NULL. In DataMapper, the correct thing seems to happen in terms of the results: >> User.all(:username => [nil]) => [] However, the SQL it executes doesn't look right: DataMapper.repository(:default).adapter.send(:select_statement, User.all(:username => [nil]).query) => ["SELECT FROM `users` ORDER BY `id`", []] I'm not sure what the empty array is supposed to be, and I'm not sure why there's no WHERE clause in the SQL. DataMapper filters the records that are returned against the query, so perhaps this contributes to the fact no results are returned. I may have also entirely misunderstood the issue that was reported ;) Cheers, Chris Il giorno 06/giu/2012, alle ore 18:40, Kaspar Schiess ha scritto: > Hi everyone, > > Rails was recently released because of these two security problems: > > * CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk > * CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability > > (see the ruby-lang mailing list) > > Is Datamapper vulnerable to any of those? More specifically, does Datamapper > allow special strings to translate into 'is null'? > > The documentation at http://datamapper.org/docs/find.html would suggest that > it is at least vulnerable to the second attack where a hash is crafted to > query other tables than those immediately mentioned in the controller code. > > Anyone got the time to look into this? > > regards, > kaspar > > > -- > You received this message because you are subscribed to the Google Groups > "DataMapper" group. > To post to this group, send email to datamapper@googlegroups.com. > To unsubscribe from this group, send email to > datamapper+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/datamapper?hl=en. > -- You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to datamapper@googlegroups.com. To unsubscribe from this group, send email to datamapper+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/datamapper?hl=en.