Quote range strings when quoting PG ranges

The test case for CVE-2014-3483 doesn't actually send the generated SQL to the database. The generated SQL is actually invalid for real inputs.
author: Sean Griffin <sean@thoughtbot.com> 2014-07-02 11:55:52 -0600
committer: Sean Griffin <sean@thoughtbot.com> 2014-07-02 12:04:56 -0600
commit: 664feb2d002501bd4a6db42f75b2221d4b9410cc (patch)
tree: 5eebace68433643c7cb14ef0b33a8c31da0b6be4 /activerecord
parent: 7df68a300c9395e3edf8c603b6fea3db9eaff003 (diff)
download: rails-664feb2d002501bd4a6db42f75b2221d4b9410cc.tar.gz
rails-664feb2d002501bd4a6db42f75b2221d4b9410cc.tar.bz2
rails-664feb2d002501bd4a6db42f75b2221d4b9410cc.zip
3 files changed, 19 insertions, 2 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
index cb1c67495b..60b0ee526e 100644
--- a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
@@ -24,7 +24,7 @@ module ActiveRecord
           when Range
             if /range$/ =~ sql_type
               escaped = quote_string(PostgreSQLColumn.range_to_string(value))
-              "#{escaped}::#{sql_type}"
+              "'#{escaped}'::#{sql_type}"
             else
               super
             end
diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
index 134c037a83..6f00c0d333 100644
--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -61,7 +61,7 @@ module ActiveRecord
         def test_quote_range
           range = "1,2]'; SELECT * FROM users; --".."a"
           c = PostgreSQLColumn.new(nil, nil, OID::Range.new(Type::Integer.new, :int8range))
-          assert_equal "[1,2]''; SELECT * FROM users; --,a]::int8range", @conn.quote(range, c)
+          assert_equal "'[1,2]''; SELECT * FROM users; --,a]'::int8range", @conn.quote(range, c)
         end
 
         def test_quote_bit_string
diff --git a/activerecord/test/cases/adapters/postgresql/range_test.rb b/activerecord/test/cases/adapters/postgresql/range_test.rb
index 0f6e39322c..02d0a9b483 100644
--- a/activerecord/test/cases/adapters/postgresql/range_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/range_test.rb
@@ -262,6 +262,23 @@ _SQL
       assert_raises(ArgumentError) { PostgresqlRange.create!(float_range: "(0.5, 0.7]") }
     end
 
+    def test_update_all_with_ranges
+      PostgresqlRange.create!
+
+      PostgresqlRange.update_all(int8_range: 1..100)
+
+      assert_equal 1...101, PostgresqlRange.first.int8_range
+    end
+
+    def test_ranges_correctly_escape_input
+      e = assert_raises(ActiveRecord::StatementInvalid) do
+        range = "1,2]'; SELECT * FROM users; --".."a"
+        PostgresqlRange.update_all(int8_range: range)
+      end
+
+      assert e.message.starts_with?("PG::InvalidTextRepresentation")
+    end
+
     private
       def assert_equal_round_trip(range, attribute, value)
         round_trip(range, attribute, value)
author	Sean Griffin <sean@thoughtbot.com>	2014-07-02 11:55:52 -0600
committer	Sean Griffin <sean@thoughtbot.com>	2014-07-02 12:04:56 -0600
commit	664feb2d002501bd4a6db42f75b2221d4b9410cc (patch)
tree	5eebace68433643c7cb14ef0b33a8c31da0b6be4 /activerecord
parent	7df68a300c9395e3edf8c603b6fea3db9eaff003 (diff)
download	rails-664feb2d002501bd4a6db42f75b2221d4b9410cc.tar.gz rails-664feb2d002501bd4a6db42f75b2221d4b9410cc.tar.bz2 rails-664feb2d002501bd4a6db42f75b2221d4b9410cc.zip