Security issue in resource-controller

[masche842]

I know: It should only be accessible by authorized users... Nontheless:

items = resource_model.where(searchable_resource_attributes.map { |attribute|
                    "`#{namespaced_resources_name}`.`#{attribute[:name]}` LIKE '%#{params[:query]}%'"
                }.join(" OR "))

This line is vulnerable regarding to (i.e.):
http://stackoverflow.com/questions/2962263/rails-sql-injection

Solutions are a bit complicated. Maybe it's better to build every condition on its own and chain them together afterwards. I'll try to figure out a nice piece of code for that.

[tvdeyen]

Thanks for reporting this, but could you please not publish any security issues before it's fixed!

See how rails handles this:

http://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#special-treatment-for-security-issues

http://rubyonrails.org/security

[masche842]

Yes, you're right, sorry. Wasn't aware of this as it seemed to be not so critical. Next time via email.
For now I'm working on a solution at the moment to fix it as fast as possible.

You wrote about the arel_table yesterday. Do you now a way to push conditions to where_values? This would make it very easy to chain the conditions up.

[masche842]

Ok, quite difficult. I had something more elegant in mind but for now it should be safe to just sanitize the parameter:

      search_terms = ActiveRecord::Base.sanitize("%#{params[:query]}%")
  items = resource_model.where(searchable_resource_attributes.map { |attribute|
    "`#{namespaced_resources_name}`.`#{attribute[:name]}` LIKE #{search_terms}"
  }.join(" OR "))

[tvdeyen]

Ok, I just created a security@alchemy-cms.com e-mail address