The right condition being: the ability to send symbols to activerecord. When you read the advisory, you could think that this bug could be exploited by only doing something around: http://vulnerable/?id[select]=SQL.
However, ActiveSupport (a Rails core library that is used by ActiveRecord) prevents this since it ensures the keys are valid, and make sure the keys are symbols:
def assert_valid_keys(*valid_keys) unknown_keys = keys - [valid_keys].flatten raise(ArgumentError, "Unknown key(s): #{unknown_keys.join(", ")}") unless unknown_keys.empty?
From my testing the following keys are valid: :conditions, :include, :joins, :limit, :offset, :extend, :order, :select, :readonly, :group, :having, :from, :lock. And since Ruby cares about data type (ie: the string "select" and the symbol :select are not the same thing):
>> ["select"] - [:select]
=> ["select"]
It can't be trivially exploit like in the URL above. I can't think of any way to bypass this at the moment... However, if you can modify a rack session for example (especially if you don't sign them since you think they don't contain anything worth tampering), it's trivial to exploit ;)
No comments:
Post a Comment