thr3ads.net - Rails - [Rails] acts_as_taggable vulnerable to attacks ? [Feb 2006]

If this information is useful, please help other people find it:
Share via:

Francois Beausoleil

2006-Feb-28 07:39 UTC

[Rails] acts_as_taggable vulnerable to attacks ?

Hi all !

I''d like to confirm if I''m reading correctly.

It seems ActiveRecord::Acts::Taggable::SingletonMethods#find_tagged_with
is vulnerable to SQL injection attacks:

def find_tagged_with(options = {})
  options = { :separator => '' '' }.merge(options)

  tag_names = ActiveRecord::Acts::Taggable.split_tag_names(options[:any]
|| options[:all], options[:separator])
  raise "No tags were passed to :any or :all options" if
tag_names.empty?

  o, o_pk, o_fk, t, t_pk, t_fk, jt = set_locals_for_sql
  sql = "SELECT #{o}.* FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk}
#{t}.#{t_pk}
        AND (#{t}.name = ''#{tag_names.join("'' OR
#{t}.name=''")}'')
        AND #{o}.#{o_pk} = #{jt}.#{o_fk}"
  ...
end

Notice tag_names is directly interpolated into the generated SQL ?

First of all, am I seeing things correctly ?  If so, we should simply
be calling #quote here, right ?

Bye !
--
Fran?ois Beausoleil
http://blog.teksol.info/

Possibly Parallel Threads

Search for more apparently analagous threads

Rails - Feb 2006 - acts_as_taggable vulnerable to attacks ?

[Rails] acts_as_taggable vulnerable to attacks ?

Possibly Parallel Threads

Wisdom of the Ancients