Ah, I was executing that query against a NOT NULL field. DM was being smart and wasn't even going to the DB.
Listing.first(:title => [nil]) ~ SQL (36.869ms) SELECT <redacted> FROM `listings` ORDER BY `id` LIMIT 1 No WHERE clause. Ugh. It returned the listing in our DB with the ID of 1. Seems like DM is vulnerable to the same issue, yes. Il giorno 06/giu/2012, alle ore 18:40, Kaspar Schiess ha scritto: > Hi everyone, > > Rails was recently released because of these two security problems: > > * CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk > * CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability > > (see the ruby-lang mailing list) > > Is Datamapper vulnerable to any of those? More specifically, does Datamapper > allow special strings to translate into 'is null'? > > The documentation at http://datamapper.org/docs/find.html would suggest that > it is at least vulnerable to the second attack where a hash is crafted to > query other tables than those immediately mentioned in the controller code. > > Anyone got the time to look into this? > > regards, > kaspar > > > -- > You received this message because you are subscribed to the Google Groups > "DataMapper" group. > To post to this group, send email to datamapper@googlegroups.com. > To unsubscribe from this group, send email to > datamapper+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/datamapper?hl=en. > -- You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to datamapper@googlegroups.com. To unsubscribe from this group, send email to datamapper+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/datamapper?hl=en.
