I recently heard about a SQL injection vulnerability in all versions of Ruby on Rails. New versions of Rails 3 (3.0.18, 3.1.9, and 3.2.10) have been released to fix the vulnerability.
Article overview: https://threatpost.com/en_us/blogs/sql-injection-flaw-haunts-all-ruby-rails-versions-010313 Detailed advisory from the RoR Security list: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM My take: If you use any dynamic finders (like Foo.find_by_id(params[:id])), and if your secret_token.rb file is either the auto-generated version or has been checked into a publicly-readable repository, then an attacker can craft a request which injects an arbitrary SQL query. Updating to the latest minor version of Rails 3.x is said to fix the underlying cause of the vulnerability. The RoR Security advisory linked above has workarounds if you can't upgrade to a fixed version of Rails. After updating Rails, there is an open issue ( https://github.com/rails/rails/issues/7372) that raises a Rack security warning. ("No secret option provided to Rack::Session::Cookie.") According to the Rack developers, the warning can be safely ignored for now. ( https://github.com/rack/rack/issues/485#issuecomment-11956708) I hope this helps. I'm about as far away from Rails core as possible, but let me know if you have any questions about what I did to check and fix the vulnerability in my own code. Cheers, ~chris -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
