Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Allow ' in the values in the postgres backend (sqli) #34

Open
rud opened this issue Sep 30, 2014 · 4 comments
Open

Bug: Allow ' in the values in the postgres backend (sqli) #34

rud opened this issue Sep 30, 2014 · 4 comments
Labels

Comments

@rud
Copy link

rud commented Sep 30, 2014

Seeing this:

set_attrs = data_hash.map { |k, v| "#{k} = '#{v}'" }.join(', ')
save_query = "UPDATE #{@table} SET #{set_attrs} WHERE id = #{@id}"
else # Creating a new row.
if data_hash.empty?
save_query = "INSERT INTO #{@table} DEFAULT VALUES"
else
columns = data_hash.keys.join(', ')
values = data_hash.map { |_, v| "'#{v}'" }.join(', ')
save_query = "INSERT INTO #{@table} (#{columns}) VALUES (#{values})"

I know end-user input is not expected to be stored in a configuration backend, but the code as it stands is classic SQL injection.

This might be relevant: http://deveiate.org/code/pg/PG/Connection.html#method-c-escape_string

@rud
Copy link
Author

rud commented Sep 30, 2014

Oh hey, http://deveiate.org/code/pg/PG/Connection.html#method-i-exec_params is even easier to use, should you be so inclined.

Feel free to close if irrelevant.

@Oshuma Oshuma added the bug label Sep 30, 2014
@Oshuma
Copy link
Owner

Oshuma commented Sep 30, 2014

@rud I can imagine a system where app_config is used to store per-user config (ie, config values accepted from end users), so this could potentially be an issue. I'll investigate when I get some spare time. Thanks for submitting the issue!

@rud
Copy link
Author

rud commented Oct 1, 2014

You're most welcome

@rud
Copy link
Author

rud commented Oct 23, 2015

Welp, this is still open a year later. I know, life happens 🍰 ✌️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants