From 71f7917c553cdc9a0ee49e87af0efb7429759718 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 30 May 2012 15:04:11 -0700 Subject: predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this CVE-2012-2661 --- .../active_record/associations/association_scope.rb | 17 ++++++++++++++++- .../lib/active_record/relation/predicate_builder.rb | 6 +++--- activerecord/test/cases/relation/where_test.rb | 19 +++++++++++++++++++ 3 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 activerecord/test/cases/relation/where_test.rb diff --git a/activerecord/lib/active_record/associations/association_scope.rb b/activerecord/lib/active_record/associations/association_scope.rb index b3819e3661..f9cffa40c8 100644 --- a/activerecord/lib/active_record/associations/association_scope.rb +++ b/activerecord/lib/active_record/associations/association_scope.rb @@ -75,7 +75,7 @@ module ActiveRecord conditions.each do |condition| if options[:through] && condition.is_a?(Hash) - condition = { table.name => condition } + condition = disambiguate_condition(table, condition) end scope = scope.where(interpolate(condition)) @@ -114,6 +114,21 @@ module ActiveRecord end end + def disambiguate_condition(table, condition) + if condition.is_a?(Hash) + Hash[ + condition.map do |k, v| + if v.is_a?(Hash) + [k, v] + else + [table.table_alias || table.name, { k => v }] + end + end + ] + else + condition + end + end end end end diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb index a789f48725..9c84d8a6d5 100644 --- a/activerecord/lib/active_record/relation/predicate_builder.rb +++ b/activerecord/lib/active_record/relation/predicate_builder.rb @@ -1,16 +1,16 @@ module ActiveRecord class PredicateBuilder # :nodoc: - def self.build_from_hash(engine, attributes, default_table) + def self.build_from_hash(engine, attributes, default_table, check_column = true) predicates = attributes.map do |column, value| table = default_table if value.is_a?(Hash) table = Arel::Table.new(column, engine) - build_from_hash(engine, value, table) + build_from_hash(engine, value, table, false) else column = column.to_s - if column.include?('.') + if check_column && column.include?('.') table_name, column = column.split('.', 2) table = Arel::Table.new(table_name, engine) end diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb new file mode 100644 index 0000000000..90c690e266 --- /dev/null +++ b/activerecord/test/cases/relation/where_test.rb @@ -0,0 +1,19 @@ +require "cases/helper" +require 'models/post' + +module ActiveRecord + class WhereTest < ActiveRecord::TestCase + fixtures :posts + + def test_where_error + assert_raises(ActiveRecord::StatementInvalid) do + Post.where(:id => { 'posts.author_id' => 10 }).first + end + end + + def test_where_with_table_name + post = Post.first + assert_equal post, Post.where(:posts => { 'id' => post.id }).first + end + end +end -- cgit v1.2.3 From dff6db18840e2fd1dd3f3e4ef0ae7a9a3986d01d Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Wed, 30 May 2012 15:13:03 -0700 Subject: Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this! CVE-2012-2660 --- actionpack/lib/action_dispatch/http/request.rb | 22 ++++++++++++++++++++++ .../dispatch/request/query_string_parsing_test.rb | 7 ++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb index 820921252d..adbb5d1346 100644 --- a/actionpack/lib/action_dispatch/http/request.rb +++ b/actionpack/lib/action_dispatch/http/request.rb @@ -247,6 +247,28 @@ module ActionDispatch LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip } end + protected + + # Remove nils from the params hash + def deep_munge(hash) + hash.each_value do |v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + when Hash + deep_munge(v) + end + end + + keys = hash.keys.find_all { |k| hash[k] == [nil] } + keys.each { |k| hash[k] = nil } + hash + end + + def parse_query(qs) + deep_munge(super) + end + private def check_method(name) diff --git a/actionpack/test/dispatch/request/query_string_parsing_test.rb b/actionpack/test/dispatch/request/query_string_parsing_test.rb index f6a1475d04..181f51add5 100644 --- a/actionpack/test/dispatch/request/query_string_parsing_test.rb +++ b/actionpack/test/dispatch/request/query_string_parsing_test.rb @@ -81,7 +81,12 @@ class QueryStringParsingTest < ActionDispatch::IntegrationTest end test "query string without equal" do - assert_parses({ "action" => nil }, "action") + assert_parses({"action" => nil}, "action") + assert_parses({"action" => {"foo" => nil}}, "action[foo]") + assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar]") + assert_parses({"action" => {"foo" => { "bar" => nil }}}, "action[foo][bar][]") + assert_parses({"action" => {"foo" => nil}}, "action[foo][]") + assert_parses({"action"=>{"foo"=>[{"bar"=>nil}]}}, "action[foo][][bar]") end test "query string with empty key" do -- cgit v1.2.3