Rails params & gc

    We have a drama here in Rails community again . Initial report. There are methods like find_by_ * that are projected onto models in find_by_title, for example, find_by_id.
    They can be used like
    find_by_id (params [: id], select: “CUSTOM SQL”)
    But usually they are used like this
    find_by_id (params [: id])
    And SQL Injection happens if params [: id] contains {: select => "CUSTOM SQL"} - options can be in the first argument.

    Note -: select is a character and not a "select" (string). This means that the trick? Id [select] = SQL will not work since the key will be a string. In general, params is a hash of the type HashWithIndifferentAccess. Those he PRINCIPLE cannot have characters in keys since they are all destroyed at creation.

    There is such an authlogic gem, in general it uses find_by_token (token) where token is the object from the session (which is stored in cookies and signed by session_secret). To write: select => “SQL” to it, you need to know session_secret, so the vulnerability is extremely rare.
    All this SQL Injection CVE is not worth a damn! And for what post? DoS!

    I just started digging further, because I have been using alternative inputs for a long time . Rails by default take three types of request.body: XML, JSON, x-www-form-urlencoded. The vast majority of applications use the latter, this is a line of the form key = val & key2 = val2 But if the client sends the necessary Content-Type, another parser will automatically be used - XML ​​/ JSON and even YAML but it is turned off by default.
    And XML is flexible. Example - if you send

    then the find (params [: id]) code will execute in the same way as find (: all)

    User input turns into characters - characters are not removed by GC. With such a script from the browser console you can “offend” the application rail (the script was deleted so that the scriptdisks are not used). Try on a localhost and monitor the ruby ​​process memory.

    a patch for application.rb that will turn off alternative parsers
    ActionDispatch :: ParamsParser :: DEFAULT_PARSERS = {}

    PS but that's not all (there is a revival of the old CVE with [1, nil] via JSON / XML payload)

    Also popular now: