Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL (opens in new tab)

(groups.google.com)

43 pointselektronaut11y ago17 comments

17 comments

14 comments · 5 top-level

bni11y ago· 6 in thread

So Active Record is building its SQL from string concatenation, not using prepared statements with bind variables?

All ORMs build at least some of their SQL using string concatenation.

Prepared statements with bind variables only work when the SQL string is static and only the variables change - but ORMS are used to construct full SQL statements with custom select / while / join clauses etc.

X-Istence11y ago

Yes, all ORM's build their SQL using string concatenation, BUT the good ORM's won't use string concatenation on user data, instead they will use bind parameters.

This way the query sent to the server looks like this:

  SELECT * FROM whatever WHERE email = :1 AND user_name = :2;

And then the parameters are passed to the database server separately to bind to the above placeholders.

This way the database server knows what is user provided data and what is part of the SQL, and no special quoting is required since the database server handles that internally. It's much safer in that SQL injection becomes impossible at that point.

1 more reply

jerf11y ago

No, you just have to use some intelligence in tracking your bind variables and bind values together instead of blindly bashing strings together, then at some distant location in the code guess & hope about the number of bind values used. I've got code that does it just fine.

GVIrish11y ago

No you can definitely use prepared statements with bind variables since you can dynamically name the bind variables. So if you have a statement where you don't know how many bind variables will go into the query you can give the bind variable a name and add a number at the end that you increment for each additional bind variable (e.g. @param + i for @param1, @param2, @param3, etc.).

Depending on how complex your query is it can get to be a bit of work but it's doable.

joevandyk11y ago

No, ActiveRecord uses bind variables. It uses prepared statements in some cases.

streptomycin11y ago

Not uncommon, for instance with MySQL in Python: http://stackoverflow.com/questions/2424531/does-the-mysqldb-...

bensedat11y ago· 3 in thread

Looks like the Rails 3.2 update drags along a few other unrelated changes, although they appear to be fairly minor: https://github.com/rails/rails/compare/v3.2.18...v3.2.19

as compared to: https://github.com/rails/rails/compare/v4.1.2...v4.1.3 and https://github.com/rails/rails/compare/v4.0.6...v4.0.7

thibaut_barrere11y ago

I use this now to make sure I review before updating:

https://gist.github.com/thbar/7dc97d3f5f6a52e4fa00

(obviously not to be used in a CI environment).

Also, if you want to make sure you get push notification for security updates, check out this:

http://thibautbarrere.com/how-to-get-push-notifications-for-...

(I get only critical stuff as pushes, and get notified even in the rare case that the rails security email goes to spam as it happened once previously).

bensedat11y ago

If you're applying a patch manually to Rails 4.0/4.1, there was a regression and new versions have been issued: https://groups.google.com/forum/#!topic/rubyonrails-security...

jerhinesmith11y ago

You'd have thought they'd stop doing that after the Github email embarrassment:

https://github.com/blog/1440-github-enterprise-email-inciden...

Pacabel11y ago

It's unfortunate that the wording of the email subject (and the current HN submission title) can make it sound like the problem is with PostgreSQL, when it's really a problem with Active Record's adapter for PostgreSQL.

PostgreSQL itself isn't responsible or affected, contrary to what the "Vulnerabilities Affecting PostgreSQL" phrasing suggests at a glance.

craigkerstiens11y ago

You should be able to see if you are vulnerable by running this query:

  select 
        cn.nspname as schema, 
        relname as table, 
        attname as column, 
        tn.nspname as type_schema, 
        typname as type_name 
    from pg_attribute a 
    inner join pg_class c on a.attrelid = c.oid 
    inner join pg_namespace cn on c.relnamespace = cn.oid 
    inner join pg_type t on a.atttypid = t.oid 
    inner join pg_namespace tn on t.typnamespace = tn.oid 
    where (t.typtype = 'r' or t.typname = 'bit' or t.typname = 'varbit');

jrmiii11y ago

FTA: Only applications which query against either bitstring or range types are vulnerable.

j / k navigate · click thread line to collapse