Acts_as_taggable vulnerable to attacks?


#1

Hi all !

I’d like to confirm if I’m reading correctly.

It seems ActiveRecord::Acts::Taggable::SingletonMethods#find_tagged_with
is vulnerable to SQL injection attacks:

def find_tagged_with(options = {})
options = { :separator => ’ ’ }.merge(options)

tag_names = ActiveRecord::Acts::Taggable.split_tag_names(options[:any]
|| options[:all], options[:separator])
raise “No tags were passed to :any or :all options” if
tag_names.empty?

o, o_pk, o_fk, t, t_pk, t_fk, jt = set_locals_for_sql
sql = “SELECT #{o}.* FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} =
#{t}.#{t_pk}
AND (#{t}.name = '#{tag_names.join(”’ OR #{t}.name=’")}’)
AND #{o}.#{o_pk} = #{jt}.#{o_fk}"

end

Notice tag_names is directly interpolated into the generated SQL ?

First of all, am I seeing things correctly ? If so, we should simply
be calling #quote here, right ?

Bye !